Merge branch 'main' into integ-logging

aws · Dec 12, 2024 · dbaccff · dbaccff
2 parents 2b66944 + 76cba02
commit dbaccff
Show file tree

Hide file tree

Showing 107 changed files with 1,821 additions and 884 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,13 +10,27 @@ updates:
     directory: "/.github/workflows"
     schedule:
       interval: "daily"
+    groups:
+      all-gha-updates:
+        patterns:
+          - "*"
 
-  # Maintain dependencies for cargo
+  # permissive-MSRV, batch updates are acceptable
   - package-ecosystem: "cargo"
     directories:
-      - "/bindings/rust"
       - "/bindings/rust-examples"
       - "/tests/pcap"
       - "/tests/regression"
     schedule:
       interval: "daily"
+    groups:
+      all-cargo-updates:
+        patterns:
+          - "*"
+
+  # restricted-MSRV, so don't do batch updates
+  - package-ecosystem: "cargo"
+    directories:
+      - "/bindings/rust"
+    schedule:
+      interval: "daily"
diff --git a/.github/teams.yml b/.github/teams.yml
@@ -9,3 +9,4 @@ s2n-core:
   - '@jmayclin'
   - '@jouho'
   - '@boquan-fang'
+  - '@CarolYeh910'
diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml
@@ -14,10 +14,10 @@ jobs:
       contents: read  # This is required for actions/checkout
       id-token: write # This is required for requesting the JWT
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup Python
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v5
         with:
           python-version: '3.x'
 
@@ -37,7 +37,7 @@ jobs:
         run: cargo criterion --message-format json > criterion_output.log
 
       - name: Configure AWS Credentials
-        uses: aws-actions/[email protected].1
+        uses: aws-actions/[email protected].2
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
           role-session-name: s2ntlsghabenchsession

diff --git a/.github/workflows/ci_compliance.yml b/.github/workflows/ci_compliance.yml
@@ -12,16 +12,17 @@ on:
 permissions:
   contents: read  # This is required for actions/checkout
   id-token: write # This is required for requesting the JWT/OIDC
+  statuses: write # Required for dependabot PRs https://github.com/ouzi-dev/commit-status-updater?tab=readme-ov-file#workflow-permissions
 
 jobs:
   duvet:
     runs-on: ubuntu-latest
     steps:
       - name: Clone s2n-tls
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Clone s2n-quic
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: aws/s2n-quic
           path: ./s2n-quic

diff --git a/.github/workflows/ci_freebsd.yml b/.github/workflows/ci_freebsd.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     name: CI FreeBSD
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Build and test in FreeBSD
         id: test
         uses: vmactions/freebsd-vm@v1

diff --git a/.github/workflows/ci_linting.yml b/.github/workflows/ci_linting.yml
@@ -15,14 +15,14 @@ jobs:
     env:
       CPPCHECK_INSTALL_DIR: test-deps/cppcheck
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup
         run: source ./codebuild/bin/s2n_setup_env.sh
 
       - name: Cache
         id: cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v4
         continue-on-error: true
         with:
           path: ${{ env.CPPCHECK_INSTALL_DIR }}
@@ -38,7 +38,7 @@ jobs:
   headers:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup
         run: source ./codebuild/bin/s2n_setup_env.sh
@@ -49,7 +49,7 @@ jobs:
   simple-mistakes:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup
         run: source ./codebuild/bin/s2n_setup_env.sh
@@ -60,7 +60,7 @@ jobs:
   comments:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup
         run: source ./codebuild/bin/s2n_setup_env.sh
@@ -76,7 +76,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Run autopep8
         id: autopep8
         uses: peter-evans/autopep8@v2
@@ -90,7 +90,7 @@ jobs:
   clang-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: clang-format check
         uses: harrisonkaiser/clang-format-action@verbose
         with:
@@ -100,17 +100,17 @@ jobs:
     # The nix develop changes contain broken nixpkg dependenecies; the allow/impure flags workaround this.
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: nixbuild/nix-quick-install-action@v21
+      - uses: actions/checkout@v4
+      - uses: nixbuild/nix-quick-install-action@v29
         with:
           nix_conf: experimental-features = nix-command flakes
       - name: nix flake check
         run: NIXPKGS_ALLOW_BROKEN=1 NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix flake check --impure
   nixfmt:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: nixbuild/nix-quick-install-action@v21
+      - uses: actions/checkout@v4
+      - uses: nixbuild/nix-quick-install-action@v29
         with:
           nix_conf: experimental-features = nix-command flakes
       - name: nix fmt

diff --git a/.github/workflows/ci_openbsd.yml b/.github/workflows/ci_openbsd.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Build and test in OpenBSD
         id: test
-        uses: cross-platform-actions/action@v0.23.0
+        uses: cross-platform-actions/action@v0.26.0
         with:
           operating_system: openbsd
           architecture: x86-64

diff --git a/.github/workflows/ci_rust.yml b/.github/workflows/ci_rust.yml
@@ -11,7 +11,7 @@ on:
 env:
   # Pin the nightly toolchain to prevent breakage.
   # This should be occasionally updated.
-  RUST_NIGHTLY_TOOLCHAIN: nightly-2024-01-01
+  RUST_NIGHTLY_TOOLCHAIN: nightly-2024-12-01
   ROOT_PATH: bindings/rust
   EXAMPLE_WORKSPACE: bindings/rust-examples
   PCAP_TEST_PATH: tests/pcap
@@ -24,7 +24,7 @@ jobs:
       matrix:
         os: [ubuntu-latest, macOS-latest]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install Rust toolchain
         id: toolchain
@@ -35,7 +35,7 @@ jobs:
       # https://github.com/aws/aws-lc-rs/blob/main/aws-lc-fips-sys/README.md#build-prerequisites
       # go required for generate.sh to build aws-lc-rs in FIPS mode
       - name: Install go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: '>=1.18'
 
@@ -60,7 +60,10 @@ jobs:
 
       - name: Network-enabled integration tests
         working-directory: ${{env.ROOT_PATH}}/integration
-        run: RUST_LOG=TRACE cargo test --features network-tests
+        # no-default-features is used because network tests are hidden behind a
+        # default "negative" feature. This is because we don't want network tests
+        # invoked on the `cargo test --all-features` pattern.
+        run: RUST_LOG=TRACE cargo test --no-default-features --features pq
 
       - name: Test external build
         # if this test is failing, make sure that api headers are appropriately
@@ -87,7 +90,7 @@ jobs:
   harness-interop-tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install Rust toolchain
         id: toolchain
@@ -105,7 +108,7 @@ jobs:
   s2n-tls-binding-examples:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install Rust toolchain
         id: toolchain
@@ -123,7 +126,7 @@ jobs:
   generate-openssl-102:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install Rust toolchain
         id: toolchain
@@ -135,7 +138,7 @@ jobs:
 
       - name: Cache OpenSSL 1.0.2
         id: cache-openssl
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/openssl-102/install
           key: ${{ runner.os }}-openssl-102
@@ -174,7 +177,7 @@ jobs:
       matrix:
         os: [ubuntu-latest, macOS-latest]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -187,7 +190,7 @@ jobs:
       # https://github.com/aws/aws-lc-rs/blob/main/aws-lc-fips-sys/README.md#build-prerequisites
       # go required to build aws-lc-rs in FIPS mode
       - name: Install go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: '>=1.18'
 
@@ -210,10 +213,52 @@ jobs:
         run: |
           cargo test --tests --all-features
 
+  # Run the rust unit tests under address sanitizer.
+  #
+  # Rust is generally memory safe, but our bindings contain a large amount of unsafe
+  # code. Additionally, "safe" code doesn't guarentee that the code is free of 
+  # memory leaks.
+  asan-unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        id: toolchain
+        run: |
+          rustup toolchain install ${{env.RUST_NIGHTLY_TOOLCHAIN }} \
+            --profile minimal \
+            --component rust-src \
+            --target x86_64-unknown-linux-gnu
+          rustup override set ${{ env.RUST_NIGHTLY_TOOLCHAIN }}
+      
+      - name: Generate
+        run: ./${{env.ROOT_PATH}}/generate.sh --skip-tests
+
+      # asan expects a binary at /usr/bin/llvm-symbolizer but GHA runners include
+      # multiple versioned binaries, like /usr/bin/llvm-symbolizer-13. This step
+      # finds the latest symbolizer and use it as the "base" llvm-symbolizer binary.
+      #
+      # llvm-symbolizer is necessary to get nice stack traces from asan errors. 
+      # Otherwise the stack trace just contains a hex address like "0x55bc6a28a9b6"
+      - name: set llvm symbolizer
+        run: |
+          sudo ln -s $(find /usr/bin/ -maxdepth 1 -name "llvm-symbolizer-*" | sort -V | tail -n 1) /usr/bin/llvm-symbolizer
+
+      - name: Run Unit Tests under ASAN
+        env:
+          RUSTDOCFLAGS: -Zsanitizer=address
+          RUSTFLAGS: -Zsanitizer=address
+        run: |
+          cargo test \
+            -Zbuild-std \
+            --manifest-path ${{ env.ROOT_PATH}}/Cargo.toml \
+            --target x86_64-unknown-linux-gnu
+
   rustfmt:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -237,7 +282,7 @@ jobs:
   clippy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -267,7 +312,7 @@ jobs:
   msrv:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
       # Enforce crate msrv matches rust-toolchain
@@ -283,7 +328,7 @@ jobs:
   pcaps:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -32,20 +32,20 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
           config-file: ./.github/codeql-config.yml
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
         if: ${{ matrix.language == 'c' || matrix.language == 'python' }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/dashboard.yml b/.github/workflows/dashboard.yml
@@ -12,9 +12,9 @@ jobs:
       contents: write
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check out GitHub Pages branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: 'gh-pages'