refactor: remove openssl-1.0.2-fips 'allow md5' logic #5048
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lrstewart
force-pushed
the
openssl3fips_hash_1
branch
2 times, most recently
from
61a6c2a to
2e4811b
Compare
lrstewart
force-pushed
the
openssl3fips_hash_1
branch
from
2e4811b to
9bfe1fa
Compare
lrstewart
commented
Jan 18, 2025
Comment on lines
-29
to
-34
| S2N_ERROR_IF(!s2n_is_in_fips_mode() || (evp_digest->ctx == NULL), S2N_ERR_ALLOW_MD5_FOR_FIPS_FAILED); | ||
|
|
||
| #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) | ||
| EVP_MD_CTX_set_flags(evp_digest->ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | ||
| #endif | ||
| return S2N_SUCCESS; |
There was a problem hiding this comment.
This translates to "if openssl+fips, call an API to allow md5". With the removal of openssl-1.0.2-fips, we no longer support openssl+fips, and this is a no-op. I've removed it everywhere it appears.
There was a problem hiding this comment.
Does Openssl-3-fips support the use of md5? Just want to make sure we won't need to add any of these logic back when we add support for openssl-3-fips
There was a problem hiding this comment.
openssl-3.0-fips doesn't support the use of md5, or a couple other options. But openssl-3.0 also doesn't support enabling MD5 this way. There's no overlap between how openssl-3.0 does fips and how openssl-1.0.2 did fips. We can't reuse the openssl-1.0.2-fips logic, so it's cleaner to just tear it out where we find it. And this particular logic is way more complicated / deceptive than it needs to be anyway.
Comment on lines
-40
to
-51
| *out = false; | ||
| #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) | ||
| if (s2n_is_in_fips_mode() && evp_digest && evp_digest->ctx && EVP_MD_CTX_test_flags(evp_digest->ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { | ||
| /* s2n is in FIPS mode and the EVP digest allows MD5. */ | ||
| *out = true; | ||
| } | ||
| #else | ||
| if (s2n_is_in_fips_mode()) { | ||
| /* If s2n is in FIPS mode and built with AWS-LC or BoringSSL, there are no flags to check in the EVP digest to allow MD5. */ | ||
| *out = true; | ||
| } | ||
| #endif |
There was a problem hiding this comment.
This one's a bit trickier. It roughly translates to:
if not fips: false
If openssl+fips: maybe true
If awslc+fips: true
So with the removal of openssl+fips via openssl-1.0.2-fips, this method boils down to "is fips?".
We only use this method for two purposes (see search):
- Gate calls to s2n_hash_allow_md5_for_fips: unnecessary since s2n_hash_allow_md5_for_fips is a no-op
- Decide whether or not to initialize a handshake hash: unnecessary because of refactor: remove openssl-1.0.2-fips 'allow md5' logic #5048 (comment). Basically, we check "is not fips, or is fips".
Comment on lines
+18
to
+20
| /* | ||
| * TODO: update all CBMC proofs that depend on this file, then delete. | ||
| */ |
There was a problem hiding this comment.
If I delete this file, I have to update ALL of the s2n_hash CBMC proofs because they all declare it as a source file. It's unnecessary noise, so I'd prefer to do it in a follow-up PR: fe97ffa
Comment on lines
-116
to
-117
| /* return false if in FIPS mode, as MD5 algs are not available in FIPS mode. */ | ||
| return !s2n_is_in_fips_mode(); |
There was a problem hiding this comment.
This was not really true even before this change. You could use md5 with fips in awslc, just not in openssl-1.0.2. So whenever we checked s2n_hash_is_available and got "false" because of fips, we'd then check s2n_digest_is_md5_allowed_for_fips and get "true", overriding the original "false". I'm just skipping straight to the final "true".
You can confirm the limited non-test usage of this method: https://github.com/search?q=repo%3Aaws%2Fs2n-tls+s2n_hash_is_available+-path%3A*tests%2Funit%2F*.c&type=code
There was a problem hiding this comment.
Since we are here, can we also update this comment to reflect the current behavior?
The handshake MD5 hash state will fail the s2n_hash_is_available() check since MD5 is not permitted in FIPS mode is no longer correct
s2n-tls/tls/s2n_handshake_transcript.c
Lines 50 to 55 in 431f014
lrstewart
added a commit
to lrstewart/s2n
that referenced
this pull request
Jan 18, 2025
lrstewart
added a commit
to lrstewart/s2n
that referenced
this pull request
Jan 18, 2025
goatgoose
reviewed
Jan 22, 2025
lrstewart
commented
Jan 22, 2025
Comment on lines
+200
to
+202
| /* Re-initialize hashes for remaining tests */ | ||
| EXPECT_SUCCESS(s2n_hash_init(&hash_one, S2N_HASH_SHA512)); | ||
| EXPECT_SUCCESS(s2n_hash_init(&hash_two, S2N_HASH_SHA512)); |
There was a problem hiding this comment.
This test just kept using the hashes initialized to whatever hash algorithm was set last in the loop above, which just happens to be sha512 (the md5+sha1 was previously skipped). I kept the sha512 "choice", but made it explicit.
lrstewart
commented
Jan 22, 2025
Comment on lines
+186
to
+187
| EXPECT_FAILURE_WITH_ERRNO(sign_result, S2N_ERR_HASH_INVALID_ALGORITHM); | ||
| } |
There was a problem hiding this comment.
Instead of just skipping the md5 algorithms, I checked that they really aren't supported so that we can't lose valid coverage.
goatgoose
approved these changes
Jan 22, 2025
jouho
approved these changes
Jan 22, 2025
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
lrstewart
added a commit
to lrstewart/s2n
that referenced
this pull request
Jan 23, 2025
CarolYeh910
pushed a commit
to CarolYeh910/s2n-tls
that referenced
this pull request
Jan 24, 2025
CarolYeh910
pushed a commit
to CarolYeh910/s2n-tls
that referenced
this pull request
Jan 24, 2025
johubertj
pushed a commit
to johubertj/s2n-tls
that referenced
this pull request
Feb 13, 2025
johubertj
pushed a commit
to johubertj/s2n-tls
that referenced
this pull request
Feb 13, 2025
johubertj
pushed a commit
to johubertj/s2n-tls
that referenced
this pull request
Apr 22, 2025
- Enables `-Wa,-mbranches-within-32B-boundaries` only on x86 with GCC ≥8 - Skips it for Clang or unsupported compilers - Uses feature probing to detect support ci: remove S2N_TEST_IN_FIPS_MODE (aws#4994) Migrate PQ Rust code to TLS 1.3 (aws#4998) chore: add new team member (aws#5006) chore(s2n-tls-hyper): Publish s2n-tls-hyper (aws#5000) ci: add script to help launch stuck codebuild jobs (aws#5004) ci: config logging for integration tests (aws#4751) Co-authored-by: Doug Chapman <[email protected]> Migrate PQ Python code to TLS 1.3 (aws#4999) fix: don't prefix empty string when interning (aws#5015) chore: remove unused imports (aws#5017) fix(bindings/bench): Prevent IO from going out of scope (aws#5007) ci: commit integrationv2 small batch spec (aws#5020) ci: keep start_codebuild.sh up-to-date (aws#5023) chore: remove unused test utils (aws#5005) ci: improve output of validate_start_codebuild_script (aws#5031) refactor(bin): remove references to FIPS_mode_set (aws#5026) chore: improve the dashboard comment query (aws#5016) tests: make integV2 locally runnable (aws#5029) feature: remove openssl-1.0.2-fips fips mode support (aws#5030) chore: run more checks on pushes to main (aws#4963) fix: add build specs to copyright check (aws#5025) fix(bindings): Specify correct minimum versions (aws#5028) ci: add timeout for cbmc proof (aws#5038) Co-authored-by: Boquan Fang <[email protected]> test: add sslv2 client hello test w/ jvm (aws#5019) Co-authored-by: Lindsay Stewart <[email protected]> docs: add C / s2n-tls-sys doc references to s2n-tls docs (aws#5012) Add Security Policy Deprecation API (aws#5034) Co-authored-by: James Mayclin <[email protected]> Co-authored-by: Lindsay Stewart <[email protected]> ci: add openssl-3.0-fips builds (aws#5037) fix: initial config should not influence sslv2 (aws#4987) Co-authored-by: maddeleine <[email protected]> chore: bindings release for 0.3.10 (aws#5046) Co-authored-by: Boquan Fang <[email protected]> chore: bump osx Openssl to latest (aws#5041) Signed-off-by: Rui Chen <[email protected]> Co-authored-by: Rui Chen <[email protected]> chore: fix typos (aws#5052) build(deps): bump cross-platform-actions/action from 0.26.0 to 0.27.0 in /.github/workflows in the all-gha-updates group (aws#5053) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> ci: pin duvet version (aws#5057) refactor: remove openssl-1.0.2-fips 'allow md5' logic (aws#5048) ci: Adding integ tests back to integv2 (aws#5054) refactor: cleanup CBMC proofs after aws#5048 (aws#5058) feat(bench): impl into for base config type (aws#5056) Revert "ci: remove openssl-1.0.2-fips builds (aws#4995)" (aws#5060) ci: change rust-toolchain format to toml (aws#5070) ci: Emit benchmark metrics from scheduled runs (aws#5064) fix(bindings): prevent temp connection free after panic (aws#5067) docs(integv2): add architecture diagram (aws#5072) docs(s2n-tls-hyper): Add hyper client/server example (aws#5069) ci: fix dependabot, commit & check Cargo.toml (aws#5065) Co-authored-by: Sam Clark <[email protected]> fix(integration): Update PQ integration test expectations (aws#5082) fix: add support for `S2N_INTERN_LIBCRYPTO` with FetchContent (aws#5076) fix: calculation of session ticket age (aws#5001) Co-authored-by: Boquan Fang <[email protected]> fix: error for uninit psk, check for all-zero psk (aws#5084) fix: don't use DEPENDS with add_custom_command(TARGET) (aws#5074) fix(ci): Allow validate_start_codebuild to run on pushes to main (aws#5080) test: add minimal openssl-3.0-fips test (aws#5081) feat(bindings): add external psk apis (aws#5061) Fixed formatting for debugging statements (aws#5094) chore: ktls buildspec (aws#5083) chore: bindings release 0.3.11 (aws#5098) fix(integrationv2): Skip unsupported client auth tests (aws#5096) Co-authored-by: James Mayclin <[email protected]> build(deps): bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0 in /.github/workflows in the all-gha-updates group across 1 directory (aws#5107) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> refactor: remove s2n_hmac_is_available (aws#5104) refactor: remove unused evp support for md5+sha1 (aws#5106) fix: allow b64 decoding using libcrypto for sidechannel resistance (aws#5103) Co-authored-by: Sam Clark <[email protected]> Co-authored-by: Doug Chapman <[email protected]> fix: don't enable custom random for openssl fips (aws#5093) Co-authored-by: Sam Clark <[email protected]> ci: add default provider to openssl-3.0-fips (aws#5114) Revert "refactor: remove unused evp support for md5+sha1 (aws#5106)" (aws#5118) Add new security policy (20250211) (aws#5111) refactor: move "s2n_libcrypto_is" methods into s2n_libcrypto.h (aws#5117) bindings: unpin openssl crate from a specific patch version (aws#5120) Co-authored-by: Boquan Fang <[email protected]> chore: fix a typo in API comments (aws#5123) Co-authored-by: Boquan Fang <[email protected]> build(deps): update rand requirement (aws#5125) Co-authored-by: Boquan Fang <[email protected]> fix(bindings): make Context borrow immutable (aws#5071) feat: Option to disable RAND engine override (aws#5108) refactor: use EVP_MD_fetch() if available (aws#5116) Co-authored-by: Sam Clark <[email protected]> chore: binding release 0.3.12 (aws#5128) Co-authored-by: Boquan Fang <[email protected]> fix(bindings): remove mutation behind Arc (aws#5124) chore: remove unused well-known-endpoints.py (aws#5127) feat: add async cert validation support (aws#5110) ci: add check for third-party-src in disable rand override buildspec (aws#5137) Co-authored-by: Boquan Fang <[email protected]> refactor: always use EVP hashing (aws#5121) fix: update callback return value (aws#5136) ci: always set values for command line defines (aws#5126) tests: use sig schemes as source of truth for valid hash+sig algs (aws#5129) build(deps): update rtshark requirement from 2.9.0 to 3.1.0 in /tests/pcap in the all-cargo-updates group across 1 directory (aws#5087) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> test(integv2): fixes to allow test_record_padding to partially run (aws#5099) Co-authored-by: James Mayclin <[email protected]> chore(nix): Add aws-lc-fips 2022/4 (aws#5109) Co-authored-by: Lindsay Stewart <[email protected]> Ruff Formatting and add to CI (aws#5138) Co-authored-by: James Mayclin <[email protected]> feat(bindings): expose context on cert chain (aws#5132) Co-authored-by: Sam Clark <[email protected]> refactor: cleanup prf header (aws#5144) refactor: add alternative EVP signing method (aws#5141) fix: memory leak during STEK rotation (aws#5146) chore(ci): make the awslc fips install script version aware (aws#5100) Co-authored-by: Lindsay Stewart <[email protected]> Co-authored-by: Sam Clark <[email protected]> refactor: remove unused prf hmac impls (aws#5148) chore(bindings): change in rustup behavior (aws#5160) chore: git-blame-ignore ruff formatting (aws#5151) tests: try to make s2n_mem_usage_test more useful (aws#5139) Co-authored-by: Sam Clark <[email protected]> chore(ci): pin symbolic-common (aws#5166) chore: binding release 0.3.13 (aws#5167) refactor: add libcrypto PRF impl for openssl-3.0-fips (aws#5158) build(deps): bump nixbuild/nix-quick-install-action from 29 to 30 in /.github/workflows in the all-gha-updates group (aws#5153) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> style: fix redundant return (aws#5150) chore: update git blame ignore commit ID (aws#5164) tests: fix flaky ja4 test (aws#5169) fix: mark chachapoly as unavailable with openssl-3.0-fips (aws#5168) fix(ruff): resolve linting errors detected by Ruff (aws#5140) chore: pin once_cell version to unblock the CI (aws#5174) Co-authored-by: Boquan Fang <[email protected]> ci: use ruff --diff instead of --check (aws#5177) (docs): Improve PQ docs (aws#5173) Co-authored-by: Sam Clark <[email protected]> test(integv2): add partial support for OpenSSL 3.0 provider (aws#5131) Co-authored-by: James Mayclin <[email protected]> ci: make start_codebuild.sh work for forks (aws#5178) chore: add inline noqa suppression (aws#5159) test: reduce parameter selection (aws#5161) test: fix self-talk pkey offload test for openssl-3.0-fips (aws#5175) build(deps): update aws-lc-rs version to remove paste deps (aws#5192) Co-authored-by: Boquan Fang <[email protected]> chore: bump linting action Ubuntu version (aws#5186) Co-authored-by: Boquan Fang <[email protected]> ci: cleanup awslc-fips versioning (aws#5156) chore: include Need By Date section in github issue template (aws#5187) Co-authored-by: Boquan Fang <[email protected]> ci: move openssl3fips build to existing asan build (aws#5181) fix: openssl-3.0-fips should use separate private rand (aws#5184) fix: remove unnecessary RC4 restriction (aws#5170) fix: openssl-3.0-fips should use libcrypto HKDF (aws#5183) Co-authored-by: Sam Clark <[email protected]> ci: defend against unset version number in awslc installer (aws#5195) feature: openssl-3.0-fips support (aws#5191) ci: add libcrypto openssl-3.0-fips to integ tests (aws#5202) ci: add openssl-3.0-fips to asan build properly (aws#5204) fix: handshake message length integer overflow in s2n_handshake_finish_header (aws#5206) Co-authored-by: Boquan Fang <[email protected]> chore: deprecate s2n_set (aws#5155) chore: binding release 0.3.14 (aws#5210) Remove PQ TLS 1.2 from all Security Policies (aws#5194) ci: exclude new setuptools (aws#5215) fix: Update README.md to include Rust bindings docs (aws#5212) feat: add s2n_connection_get_key_exchange_group (aws#5209) chore: bindings release 0.3.15 (aws#5221) ci: add openssl-3.0-fips to valgrind (aws#5211) docs: fix openssl-3.0-fips provider requirements documentation (aws#5214) refactor(bindings): use implicit linking for aws-lc (aws#5218) fix: tighten session ticket lifetime (aws#5217) ci: Fix cppcheck build (aws#5238) refactor: implement match the same for all pkeys (aws#5224) ci: add openssl-3.0-fips to general batch (aws#5207) refactor: add evp pkey size/encrypt/decrypt methods (aws#5225) feat(bindings): expose certificate match api (aws#5220) Co-authored-by: James Mayclin <[email protected]> ci: add ruff linting (aws#5182) ci: pin nix installer to older version (aws#5245) chore: Fix new clippy warning (aws#5243) Co-authored-by: Boquan Fang <[email protected]> ci: rebalance integV2 testcases (aws#5232) fix: tainted handshake.io and add large client hello test (aws#5208) Co-authored-by: Boquan Fang <[email protected]> chore: bindings release 0.3.16 (aws#5242) Co-authored-by: Boquan Fang <[email protected]> refactor: remove legacy pkey impls (aws#5241) Revert "ci: exclude new setuptools (aws#5215)" (aws#5226) fix: make -fPIC flag private (aws#5227) Co-authored-by: Souvik Banerjee <[email protected]> doc: tainted stuffer reset operation (aws#5231) Co-authored-by: Boquan Fang <[email protected]> feat: Expose `as_ptr()` for external build (aws#5229) ci: pytest generate junit reports (aws#5235) add compiler flag added c check x86 and correct compiler cmake fix testing removed clang Print statements compiler check print find clang branch probing removed individual probing removed old unneeded changes added back original line fixed .c file ci: use correct openssl version for updated AL2023 version (aws#5255) chore(ci): revert nix installer pin (aws#5251) ci: add awslcfips to nix jobs (aws#5205) Co-authored-by: Copilot <[email protected]> moved adding options to the bottom copmiler debug prints clang printout remove setting compiler to clang set clang as default remove clang move fuzz cmake into it's own directory fixed path to fuzz back to original only branch if we're not fuzz tests add clang back now removed debugging prints removed checking for compiler testing move back original block removed feature probe messaging because we already have them
johubertj
pushed a commit
to johubertj/s2n-tls
that referenced
this pull request
Apr 22, 2025
# This is the 1st commit message: ci: remove S2N_TEST_IN_FIPS_MODE (aws#4994) # This is the commit message aws#2: Migrate PQ Rust code to TLS 1.3 (aws#4998) # This is the commit message aws#3: chore: add new team member (aws#5006) # This is the commit message aws#4: chore(s2n-tls-hyper): Publish s2n-tls-hyper (aws#5000) # This is the commit message aws#5: ci: add script to help launch stuck codebuild jobs (aws#5004) # This is the commit message aws#6: ci: config logging for integration tests (aws#4751) Co-authored-by: Doug Chapman <[email protected]> # This is the commit message aws#7: Migrate PQ Python code to TLS 1.3 (aws#4999) # This is the commit message aws#8: fix: don't prefix empty string when interning (aws#5015) # This is the commit message aws#9: chore: remove unused imports (aws#5017) # This is the commit message aws#10: fix(bindings/bench): Prevent IO from going out of scope (aws#5007) # This is the commit message aws#11: ci: commit integrationv2 small batch spec (aws#5020) # This is the commit message aws#12: ci: keep start_codebuild.sh up-to-date (aws#5023) # This is the commit message aws#13: chore: remove unused test utils (aws#5005) # This is the commit message aws#14: ci: improve output of validate_start_codebuild_script (aws#5031) # This is the commit message aws#15: refactor(bin): remove references to FIPS_mode_set (aws#5026) # This is the commit message aws#16: chore: improve the dashboard comment query (aws#5016) # This is the commit message aws#17: tests: make integV2 locally runnable (aws#5029) # This is the commit message aws#18: feature: remove openssl-1.0.2-fips fips mode support (aws#5030) # This is the commit message aws#19: chore: run more checks on pushes to main (aws#4963) # This is the commit message aws#20: fix: add build specs to copyright check (aws#5025) # This is the commit message aws#21: fix(bindings): Specify correct minimum versions (aws#5028) # This is the commit message aws#22: ci: add timeout for cbmc proof (aws#5038) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#23: test: add sslv2 client hello test w/ jvm (aws#5019) Co-authored-by: Lindsay Stewart <[email protected]> # This is the commit message aws#24: docs: add C / s2n-tls-sys doc references to s2n-tls docs (aws#5012) # This is the commit message aws#25: Add Security Policy Deprecation API (aws#5034) Co-authored-by: James Mayclin <[email protected]> Co-authored-by: Lindsay Stewart <[email protected]> # This is the commit message aws#26: ci: add openssl-3.0-fips builds (aws#5037) # This is the commit message aws#27: fix: initial config should not influence sslv2 (aws#4987) Co-authored-by: maddeleine <[email protected]> # This is the commit message aws#28: chore: bindings release for 0.3.10 (aws#5046) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#29: chore: bump osx Openssl to latest (aws#5041) Signed-off-by: Rui Chen <[email protected]> Co-authored-by: Rui Chen <[email protected]> # This is the commit message aws#30: chore: fix typos (aws#5052) # This is the commit message aws#31: build(deps): bump cross-platform-actions/action from 0.26.0 to 0.27.0 in /.github/workflows in the all-gha-updates group (aws#5053) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> # This is the commit message aws#32: ci: pin duvet version (aws#5057) # This is the commit message aws#33: refactor: remove openssl-1.0.2-fips 'allow md5' logic (aws#5048) # This is the commit message aws#34: ci: Adding integ tests back to integv2 (aws#5054) # This is the commit message aws#35: refactor: cleanup CBMC proofs after aws#5048 (aws#5058) # This is the commit message aws#36: feat(bench): impl into for base config type (aws#5056) # This is the commit message aws#37: Revert "ci: remove openssl-1.0.2-fips builds (aws#4995)" (aws#5060) # This is the commit message aws#38: ci: change rust-toolchain format to toml (aws#5070) # This is the commit message aws#39: ci: Emit benchmark metrics from scheduled runs (aws#5064) # This is the commit message aws#40: fix(bindings): prevent temp connection free after panic (aws#5067) # This is the commit message aws#41: docs(integv2): add architecture diagram (aws#5072) # This is the commit message aws#42: docs(s2n-tls-hyper): Add hyper client/server example (aws#5069) # This is the commit message aws#43: ci: fix dependabot, commit & check Cargo.toml (aws#5065) Co-authored-by: Sam Clark <[email protected]> # This is the commit message aws#44: fix(integration): Update PQ integration test expectations (aws#5082) # This is the commit message aws#45: fix: add support for `S2N_INTERN_LIBCRYPTO` with FetchContent (aws#5076) # This is the commit message aws#46: fix: calculation of session ticket age (aws#5001) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#47: fix: error for uninit psk, check for all-zero psk (aws#5084) # This is the commit message aws#48: fix: don't use DEPENDS with add_custom_command(TARGET) (aws#5074) # This is the commit message aws#49: fix(ci): Allow validate_start_codebuild to run on pushes to main (aws#5080) # This is the commit message aws#50: test: add minimal openssl-3.0-fips test (aws#5081) # This is the commit message aws#51: feat(bindings): add external psk apis (aws#5061) # This is the commit message aws#52: Fixed formatting for debugging statements (aws#5094) # This is the commit message aws#53: chore: ktls buildspec (aws#5083) # This is the commit message aws#54: chore: bindings release 0.3.11 (aws#5098) # This is the commit message aws#55: fix(integrationv2): Skip unsupported client auth tests (aws#5096) Co-authored-by: James Mayclin <[email protected]> # This is the commit message aws#56: build(deps): bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0 in /.github/workflows in the all-gha-updates group across 1 directory (aws#5107) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> # This is the commit message aws#57: refactor: remove s2n_hmac_is_available (aws#5104) # This is the commit message aws#58: refactor: remove unused evp support for md5+sha1 (aws#5106) # This is the commit message aws#59: fix: allow b64 decoding using libcrypto for sidechannel resistance (aws#5103) Co-authored-by: Sam Clark <[email protected]> Co-authored-by: Doug Chapman <[email protected]> # This is the commit message aws#60: fix: don't enable custom random for openssl fips (aws#5093) Co-authored-by: Sam Clark <[email protected]> # This is the commit message aws#61: ci: add default provider to openssl-3.0-fips (aws#5114) # This is the commit message aws#62: Revert "refactor: remove unused evp support for md5+sha1 (aws#5106)" (aws#5118) # This is the commit message aws#63: Add new security policy (20250211) (aws#5111) # This is the commit message aws#64: refactor: move "s2n_libcrypto_is" methods into s2n_libcrypto.h (aws#5117) # This is the commit message aws#65: bindings: unpin openssl crate from a specific patch version (aws#5120) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#66: chore: fix a typo in API comments (aws#5123) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#67: build(deps): update rand requirement (aws#5125) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#68: fix(bindings): make Context borrow immutable (aws#5071) # This is the commit message aws#69: feat: Option to disable RAND engine override (aws#5108) # This is the commit message aws#70: refactor: use EVP_MD_fetch() if available (aws#5116) Co-authored-by: Sam Clark <[email protected]> # This is the commit message aws#71: chore: binding release 0.3.12 (aws#5128) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#72: fix(bindings): remove mutation behind Arc (aws#5124) # This is the commit message aws#73: chore: remove unused well-known-endpoints.py (aws#5127) # This is the commit message aws#74: feat: add async cert validation support (aws#5110) # This is the commit message aws#75: ci: add check for third-party-src in disable rand override buildspec (aws#5137) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#76: refactor: always use EVP hashing (aws#5121) # This is the commit message aws#77: fix: update callback return value (aws#5136) # This is the commit message aws#78: ci: always set values for command line defines (aws#5126) # This is the commit message aws#79: tests: use sig schemes as source of truth for valid hash+sig algs (aws#5129) # This is the commit message aws#80: build(deps): update rtshark requirement from 2.9.0 to 3.1.0 in /tests/pcap in the all-cargo-updates group across 1 directory (aws#5087) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> # This is the commit message aws#81: test(integv2): fixes to allow test_record_padding to partially run (aws#5099) Co-authored-by: James Mayclin <[email protected]> # This is the commit message aws#82: chore(nix): Add aws-lc-fips 2022/4 (aws#5109) Co-authored-by: Lindsay Stewart <[email protected]> # This is the commit message aws#83: Ruff Formatting and add to CI (aws#5138) Co-authored-by: James Mayclin <[email protected]> # This is the commit message aws#84: feat(bindings): expose context on cert chain (aws#5132) Co-authored-by: Sam Clark <[email protected]> # This is the commit message aws#85: refactor: cleanup prf header (aws#5144) # This is the commit message aws#86: refactor: add alternative EVP signing method (aws#5141) # This is the commit message aws#87: fix: memory leak during STEK rotation (aws#5146) # This is the commit message aws#88: chore(ci): make the awslc fips install script version aware (aws#5100) Co-authored-by: Lindsay Stewart <[email protected]> Co-authored-by: Sam Clark <[email protected]> # This is the commit message aws#89: refactor: remove unused prf hmac impls (aws#5148) # This is the commit message aws#90: chore(bindings): change in rustup behavior (aws#5160) # This is the commit message aws#91: chore: git-blame-ignore ruff formatting (aws#5151) # This is the commit message aws#92: tests: try to make s2n_mem_usage_test more useful (aws#5139) Co-authored-by: Sam Clark <[email protected]> # This is the commit message aws#93: chore(ci): pin symbolic-common (aws#5166) # This is the commit message aws#94: chore: binding release 0.3.13 (aws#5167) # This is the commit message aws#95: refactor: add libcrypto PRF impl for openssl-3.0-fips (aws#5158) # This is the commit message aws#96: build(deps): bump nixbuild/nix-quick-install-action from 29 to 30 in /.github/workflows in the all-gha-updates group (aws#5153) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> # This is the commit message aws#97: style: fix redundant return (aws#5150) # This is the commit message aws#98: chore: update git blame ignore commit ID (aws#5164) # This is the commit message aws#99: tests: fix flaky ja4 test (aws#5169) # This is the commit message aws#100: fix: mark chachapoly as unavailable with openssl-3.0-fips (aws#5168) # This is the commit message aws#101: fix(ruff): resolve linting errors detected by Ruff (aws#5140) # This is the commit message aws#102: chore: pin once_cell version to unblock the CI (aws#5174) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#103: ci: use ruff --diff instead of --check (aws#5177) # This is the commit message aws#104: (docs): Improve PQ docs (aws#5173) Co-authored-by: Sam Clark <[email protected]> # This is the commit message aws#105: test(integv2): add partial support for OpenSSL 3.0 provider (aws#5131) Co-authored-by: James Mayclin <[email protected]> # This is the commit message aws#106: ci: make start_codebuild.sh work for forks (aws#5178) # This is the commit message aws#107: chore: add inline noqa suppression (aws#5159) # This is the commit message aws#108: test: reduce parameter selection (aws#5161) # This is the commit message aws#109: test: fix self-talk pkey offload test for openssl-3.0-fips (aws#5175) # This is the commit message aws#110: build(deps): update aws-lc-rs version to remove paste deps (aws#5192) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#111: chore: bump linting action Ubuntu version (aws#5186) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#112: ci: cleanup awslc-fips versioning (aws#5156) # This is the commit message aws#113: chore: include Need By Date section in github issue template (aws#5187) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#114: ci: move openssl3fips build to existing asan build (aws#5181) # This is the commit message aws#115: fix: openssl-3.0-fips should use separate private rand (aws#5184) # This is the commit message aws#116: fix: remove unnecessary RC4 restriction (aws#5170) # This is the commit message aws#117: fix: openssl-3.0-fips should use libcrypto HKDF (aws#5183) Co-authored-by: Sam Clark <[email protected]> # This is the commit message aws#118: ci: defend against unset version number in awslc installer (aws#5195) # This is the commit message aws#119: feature: openssl-3.0-fips support (aws#5191) # This is the commit message aws#120: ci: add libcrypto openssl-3.0-fips to integ tests (aws#5202) # This is the commit message aws#121: ci: add openssl-3.0-fips to asan build properly (aws#5204) # This is the commit message aws#122: fix: handshake message length integer overflow in s2n_handshake_finish_header (aws#5206) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#123: chore: deprecate s2n_set (aws#5155) # This is the commit message aws#124: chore: binding release 0.3.14 (aws#5210) # This is the commit message aws#125: Remove PQ TLS 1.2 from all Security Policies (aws#5194) # This is the commit message aws#126: ci: exclude new setuptools (aws#5215) # This is the commit message aws#127: fix: Update README.md to include Rust bindings docs (aws#5212) # This is the commit message aws#128: feat: add s2n_connection_get_key_exchange_group (aws#5209) # This is the commit message aws#129: chore: bindings release 0.3.15 (aws#5221) # This is the commit message aws#130: ci: add openssl-3.0-fips to valgrind (aws#5211) # This is the commit message aws#131: docs: fix openssl-3.0-fips provider requirements documentation (aws#5214) # This is the commit message aws#132: refactor(bindings): use implicit linking for aws-lc (aws#5218) # This is the commit message aws#133: fix: tighten session ticket lifetime (aws#5217) # This is the commit message aws#134: ci: Fix cppcheck build (aws#5238) # This is the commit message aws#135: refactor: implement match the same for all pkeys (aws#5224) # This is the commit message aws#136: ci: add openssl-3.0-fips to general batch (aws#5207) # This is the commit message aws#137: refactor: add evp pkey size/encrypt/decrypt methods (aws#5225) # This is the commit message aws#138: feat(bindings): expose certificate match api (aws#5220) Co-authored-by: James Mayclin <[email protected]> # This is the commit message aws#139: ci: add ruff linting (aws#5182) # This is the commit message aws#140: ci: pin nix installer to older version (aws#5245) # This is the commit message aws#141: chore: Fix new clippy warning (aws#5243) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#142: ci: rebalance integV2 testcases (aws#5232) # This is the commit message aws#143: fix: tainted handshake.io and add large client hello test (aws#5208) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#144: chore: bindings release 0.3.16 (aws#5242) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#145: refactor: remove legacy pkey impls (aws#5241) # This is the commit message aws#146: Revert "ci: exclude new setuptools (aws#5215)" (aws#5226) # This is the commit message aws#147: fix: make -fPIC flag private (aws#5227) Co-authored-by: Souvik Banerjee <[email protected]> # This is the commit message aws#148: doc: tainted stuffer reset operation (aws#5231) Co-authored-by: Boquan Fang <[email protected]> # This is the commit message aws#149: feat: Expose `as_ptr()` for external build (aws#5229) # This is the commit message aws#150: ci: pytest generate junit reports (aws#5235) # This is the commit message aws#151: add compiler flag # This is the commit message aws#152: added c check x86 and correct compiler # This is the commit message aws#153: cmake fix # This is the commit message aws#154: testing # This is the commit message aws#155: removed clang # This is the commit message aws#156: Print statements # This is the commit message aws#157: compiler check # This is the commit message aws#158: print # This is the commit message aws#159: find clang # This is the commit message aws#160: branch probing # This is the commit message aws#161: removed individual probing # This is the commit message aws#162: removed old unneeded changes # This is the commit message aws#163: added back original line # This is the commit message aws#164: fixed .c file # This is the commit message aws#165: ci: use correct openssl version for updated AL2023 version (aws#5255) # This is the commit message aws#166: chore(ci): revert nix installer pin (aws#5251) # This is the commit message aws#167: ci: add awslcfips to nix jobs (aws#5205) Co-authored-by: Copilot <[email protected]> # This is the commit message aws#168: moved adding options to the bottom # This is the commit message aws#169: copmiler debug prints # This is the commit message aws#170: clang printout # This is the commit message aws#171: remove setting compiler to clang # This is the commit message aws#172: set clang as default # This is the commit message aws#173: remove clang # This is the commit message aws#174: move fuzz cmake into it's own directory # This is the commit message aws#175: fixed path to fuzz # This is the commit message aws#176: back to original # This is the commit message aws#177: only branch if we're not fuzz tests # This is the commit message aws#178: add clang back now # This is the commit message aws#179: removed debugging prints # This is the commit message aws#180: removed checking for compiler # This is the commit message aws#181: testing move back original block
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release Summary:
Resolved issues:
related to #5045. We need to cleanup the old mess before we add a new mess.
Description of changes:
I remove the s2n_hash_allow_md5_for_fips, s2n_digest_is_md5_allowed_for_fips, and s2n_digest_allow_md5_for_fips methods because after the removal of openssl-1.0.2-fips support, they're not actually doing anything. I explain more in in-line comments, but:
Call-outs:
if you search for the removed methods, you'll still find references in the CBMC proofs. To keep this PR reviewable, I'm going to clean those up as a follow-up, since they don't affect testing.
Testing:
Existing tests continue to pass. I only needed to update one unit test, and I explain why in-line.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.