Merge branch 'main' into hyper-http2

goatgoose · Dec 10, 2024 · 35f900d · 35f900d
2 parents a90e03a + 3c4ea72
commit 35f900d
Show file tree

Hide file tree

Showing 39 changed files with 1,146 additions and 466 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,13 +10,27 @@ updates:
     directory: "/.github/workflows"
     schedule:
       interval: "daily"
+    groups:
+      all-gha-updates:
+        patterns:
+          - "*"
 
-  # Maintain dependencies for cargo
+  # permissive-MSRV, batch updates are acceptable
   - package-ecosystem: "cargo"
     directories:
-      - "/bindings/rust"
       - "/bindings/rust-examples"
       - "/tests/pcap"
       - "/tests/regression"
     schedule:
       interval: "daily"
+    groups:
+      all-cargo-updates:
+        patterns:
+          - "*"
+
+  # restricted-MSRV, so don't do batch updates
+  - package-ecosystem: "cargo"
+    directories:
+      - "/bindings/rust"
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/ci_linting.yml b/.github/workflows/ci_linting.yml
@@ -22,7 +22,7 @@ jobs:
 
       - name: Cache
         id: cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v4
         continue-on-error: true
         with:
           path: ${{ env.CPPCHECK_INSTALL_DIR }}

diff --git a/.github/workflows/ci_openbsd.yml b/.github/workflows/ci_openbsd.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Build and test in OpenBSD
         id: test
-        uses: cross-platform-actions/action@v0.23.0
+        uses: cross-platform-actions/action@v0.26.0
         with:
           operating_system: openbsd
           architecture: x86-64

diff --git a/.github/workflows/ci_rust.yml b/.github/workflows/ci_rust.yml
@@ -11,7 +11,7 @@ on:
 env:
   # Pin the nightly toolchain to prevent breakage.
   # This should be occasionally updated.
-  RUST_NIGHTLY_TOOLCHAIN: nightly-2024-01-01
+  RUST_NIGHTLY_TOOLCHAIN: nightly-2024-12-01
   ROOT_PATH: bindings/rust
   EXAMPLE_WORKSPACE: bindings/rust-examples
   PCAP_TEST_PATH: tests/pcap
@@ -138,7 +138,7 @@ jobs:
 
       - name: Cache OpenSSL 1.0.2
         id: cache-openssl
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/openssl-102/install
           key: ${{ runner.os }}-openssl-102
@@ -213,6 +213,48 @@ jobs:
         run: |
           cargo test --tests --all-features
 
+  # Run the rust unit tests under address sanitizer.
+  #
+  # Rust is generally memory safe, but our bindings contain a large amount of unsafe
+  # code. Additionally, "safe" code doesn't guarentee that the code is free of 
+  # memory leaks.
+  asan-unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        id: toolchain
+        run: |
+          rustup toolchain install ${{env.RUST_NIGHTLY_TOOLCHAIN }} \
+            --profile minimal \
+            --component rust-src \
+            --target x86_64-unknown-linux-gnu
+          rustup override set ${{ env.RUST_NIGHTLY_TOOLCHAIN }}
+      
+      - name: Generate
+        run: ./${{env.ROOT_PATH}}/generate.sh --skip-tests
+
+      # asan expects a binary at /usr/bin/llvm-symbolizer but GHA runners include
+      # multiple versioned binaries, like /usr/bin/llvm-symbolizer-13. This step
+      # finds the latest symbolizer and use it as the "base" llvm-symbolizer binary.
+      #
+      # llvm-symbolizer is necessary to get nice stack traces from asan errors. 
+      # Otherwise the stack trace just contains a hex address like "0x55bc6a28a9b6"
+      - name: set llvm symbolizer
+        run: |
+          sudo ln -s $(find /usr/bin/ -maxdepth 1 -name "llvm-symbolizer-*" | sort -V | tail -n 1) /usr/bin/llvm-symbolizer
+
+      - name: Run Unit Tests under ASAN
+        env:
+          RUSTDOCFLAGS: -Zsanitizer=address
+          RUSTFLAGS: -Zsanitizer=address
+        run: |
+          cargo test \
+            -Zbuild-std \
+            --manifest-path ${{ env.ROOT_PATH}}/Cargo.toml \
+            --target x86_64-unknown-linux-gnu
+
   rustfmt:
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -35,17 +35,17 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
           config-file: ./.github/codeql-config.yml
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
         if: ${{ matrix.language == 'c' || matrix.language == 'python' }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -28,7 +28,7 @@ jobs:
             path: |
               docs/doxygen/output
       - name: Deploy documentation to gh-pages
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@v4
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/bindings/rust/s2n-tls/src/callbacks/pkey.rs b/bindings/rust/s2n-tls/src/callbacks/pkey.rs
@@ -128,7 +128,7 @@ mod tests {
         testing::{self, *},
     };
     use core::task::{Poll, Waker};
-    use futures_test::task::new_count_waker;
+    use futures_test::task::{new_count_waker, noop_waker};
     use openssl::{ec::EcKey, ecdsa::EcdsaSig};
 
     type Error = Box<dyn std::error::Error>;
@@ -350,4 +350,52 @@ mod tests {
         assert_test_error(err, ERROR);
         Ok(())
     }
+
+    /// pkey offload should also work with public certs created from
+    /// [CertificateChain::from_public_pems].
+    #[test]
+    fn app_owned_public_cert() -> Result<(), Error> {
+        struct TestPkeyCallback;
+        impl PrivateKeyCallback for TestPkeyCallback {
+            fn handle_operation(
+                &self,
+                conn: &mut connection::Connection,
+                op: PrivateKeyOperation,
+            ) -> Result<Option<Pin<Box<dyn ConnectionFuture>>>, error::Error> {
+                ecdsa_sign(op, conn, KEY)?;
+                Ok(None)
+            }
+        }
+
+        let public_chain = {
+            let mut chain = crate::cert_chain::Builder::new()?;
+            chain.load_public_pem(CERT)?;
+            chain.build()?
+        };
+
+        let server_config = {
+            let mut config = config::Builder::new();
+            config
+                .set_security_policy(&security::DEFAULT_TLS13)?
+                .load_chain(public_chain)?
+                .set_private_key_callback(TestPkeyCallback)?;
+            config.build()?
+        };
+
+        let client_config = {
+            let mut config = config::Builder::new();
+            config
+                .set_security_policy(&security::DEFAULT_TLS13)?
+                .set_verify_host_callback(InsecureAcceptAllCertificatesHandler {})?
+                .trust_pem(CERT)?;
+            config.build()?
+        };
+
+        let mut pair = TestPair::from_configs(&client_config, &server_config);
+        pair.server.set_waker(Some(&noop_waker()))?;
+
+        assert!(pair.handshake().is_ok());
+
+        Ok(())
+    }
 }