Merge branch 'main' into connector-builder

.github/workflows/codeql.yml

@@ -2,13 +2,9 @@ name: "CodeQL - Python"
 
 on:
   push:
-    branches: [ "main" ]
-    paths-ignore:
-      - '**/tests/integration/*'
+    branches: [main]
   pull_request:
-    branches: [ "main" ]
-    paths-ignore:
-      - '**/tests/integration/*'
+    branches: [main]
   schedule:
     - cron: "1 18 * * 0"
   merge_group:
@@ -49,3 +45,24 @@ jobs:
         uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{ matrix.language }}"
+
+  # This is a very simple Action that will act as a substitute required status
+  # check for Code Scanning once you have merge-queue enabled. It will force
+  # Code Scanning to pass at the Pull Request and allow you to skip it in your
+  # repo's merge group. https://github.com/Eldrick19/code-scanning-status-checker
+  check_codeql_status:
+    name: Check CodeQL Status
+    needs: analyze
+    permissions:
+      contents: read
+      checks: read
+      pull-requests: read
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name == 'pull_request' }}
+    steps:
+    - name: Check CodeQL Status
+      uses: eldrick19/code-scanning-status-checker@v2
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        pr_number: ${{ github.event.pull_request.number }}
+        repo: ${{ github.repository }}

.github/workflows/regression_ci.yml

@@ -3,16 +3,21 @@
 name: Performance Regression Test
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches:
       - main
     paths-ignore:
       - tests/regression/**
+  merge_group:
+    types: [checks_requested]
+    branches: [main]
 
 jobs:
   regression-test:
     runs-on: ubuntu-latest
-
+    if: ${{ github.event_name == 'pull_request' }}
     steps:
       # Checkout the code from the pull request branch
       - name: Checkout code

.github/workflows/usage_guide.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches:
       - main
+  merge_group:
+    types: [checks_requested]
+    branches: [main]
 
 env:
   CDN: https://d3fqnyekunr9xg.cloudfront.net

bindings/rust-examples/Cargo.toml

@@ -1,6 +1,6 @@
 [workspace]
 members = [
-    "client-hello-config-resolution",
+    "client-hello-config-resolution", "tokio-server-client",
 ]
 resolver = "2"
 

bindings/rust-examples/client-hello-config-resolution/src/bin/client.rs

@@ -22,7 +22,8 @@ struct Cli {
 async fn main() -> Result<(), Box<dyn Error>> {
     let args = Cli::parse();
     let mut config = s2n_tls::config::Config::builder();
-    let ca: Vec<u8> = std::fs::read(env!("CARGO_MANIFEST_DIR").to_owned() + "/certs/ca-cert.pem")?;
+    let ca: Vec<u8> =
+        std::fs::read(env!("CARGO_MANIFEST_DIR").to_owned() + "/../certs/ca-cert.pem")?;
     config.set_security_policy(&DEFAULT_TLS13)?;
     config.trust_pem(&ca)?;
 

bindings/rust-examples/client-hello-config-resolution/src/bin/server.rs

@@ -72,8 +72,12 @@ impl ClientHelloCallback for AnimalConfigResolver {
 }
 
 fn server_config(animal: &str) -> s2n_tls::config::Config {
-    let cert_path = format!("{}/certs/{}-chain.pem", env!("CARGO_MANIFEST_DIR"), animal);
-    let key_path = format!("{}/certs/{}-key.pem", env!("CARGO_MANIFEST_DIR"), animal);
+    let cert_path = format!(
+        "{}/../certs/{}-chain.pem",
+        env!("CARGO_MANIFEST_DIR"),
+        animal
+    );
+    let key_path = format!("{}/../certs/{}-key.pem", env!("CARGO_MANIFEST_DIR"), animal);
     let cert = std::fs::read(cert_path).unwrap();
     let key = std::fs::read(key_path).unwrap();
     let mut config = s2n_tls::config::Builder::new();

bindings/rust-examples/tokio-server-client/Cargo.toml

@@ -0,0 +1,13 @@
+[package]
+name = "tokio-server-client"
+version.workspace = true
+authors.workspace = true
+publish.workspace = true
+license.workspace = true
+edition.workspace = true
+
+[dependencies]
+s2n-tls = { path = "../../rust/s2n-tls" }
+s2n-tls-tokio = { path = "../../rust/s2n-tls-tokio" }
+tokio = { version = "1", features = ["full"] }
+clap = { version = "4", features = ["derive"] }

bindings/rust/s2n-tls-tokio/examples/client.rs → bindings/rust-examples/tokio-server-client/src/bin/client.rs

@@ -7,12 +7,12 @@ use s2n_tls_tokio::TlsConnector;
 use std::{error::Error, fs};
 use tokio::{io::AsyncWriteExt, net::TcpStream};
 
-/// NOTE: this certificate is to be used for demonstration purposes only!
-const DEFAULT_CERT: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/../certs/cert.pem");
+/// NOTE: this ca is to be used for demonstration purposes only!
+const DEFAULT_CA: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/../certs/ca-cert.pem");
 
 #[derive(Parser, Debug)]
 struct Args {
-    #[clap(short, long, default_value_t = String::from(DEFAULT_CERT))]
+    #[clap(short, long, default_value_t = String::from(DEFAULT_CA))]
     trust: String,
     addr: String,
 }
@@ -29,7 +29,7 @@ async fn run_client(trust_pem: &[u8], addr: &str) -> Result<(), Box<dyn Error>>
 
     // Connect to the server.
     let stream = TcpStream::connect(addr).await?;
-    let tls = client.connect("localhost", stream).await?;
+    let tls = client.connect("www.kangaroo.com", stream).await?;
     println!("{:#?}", tls);
 
     // Split the stream.

bindings/rust/s2n-tls-tokio/examples/server.rs → bindings/rust-examples/tokio-server-client/src/bin/server.rs

@@ -8,8 +8,8 @@ use std::{error::Error, fs};
 use tokio::{io::AsyncWriteExt, net::TcpListener};
 
 /// NOTE: this certificate and key are to be used for demonstration purposes only!
-const DEFAULT_CERT: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/../certs/cert.pem");
-const DEFAULT_KEY: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/../certs/key.pem");
+const DEFAULT_CERT: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/../certs/kangaroo-chain.pem");
+const DEFAULT_KEY: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/../certs/kangaroo-key.pem");
 
 #[derive(Parser, Debug)]
 struct Args {

bindings/rust/bench/Cargo.toml

@@ -3,31 +3,14 @@ name = "bench"
 version = "0.1.0"
 edition = "2021"
 
-[features]
-default = ["rustls", "openssl"]
-rustls = ["dep:rustls", "rustls-pemfile"]
-openssl = ["dep:openssl"]
-memory = ["plotters", "crabgrind", "structopt"]
-historical-perf = ["plotters", "serde_json", "semver"]
-
 [dependencies]
 s2n-tls = { path = "../s2n-tls" }
 errno = "0.3"
 libc = "0.2"
 strum = { version = "0.25", features = ["derive"] }
-rustls = { version = "0.23", optional = true }
-rustls-pemfile = { version = "2", optional = true }
-openssl = { version = "0.10", features = ["vendored"], optional = true }
-crabgrind = { version = "0.1", optional = true }
-structopt = { version = "0.3", optional = true }
-serde_json = { version = "1.0", optional = true }
-semver = { version = "1.0", optional = true }
-
-[dependencies.plotters]
-version = "0.3"
-optional = true
-default-features = false
-features = ["all_series", "all_elements", "full_palette", "svg_backend"]
+rustls = { version = "0.23" }
+rustls-pemfile = { version = "2" }
+openssl = { version = "0.10", features = ["vendored"] }
 
 [dev-dependencies]
 criterion = "0.5"
@@ -37,18 +20,6 @@ pprof = { version = "0.12", features = ["criterion", "flamegraph"] }
 env_logger = "0.10"
 log = "0.4"
 
-[[bin]]
-name = "memory"
-required-features = ["memory"]
-
-[[bin]]
-name = "graph_memory"
-required-features = ["memory"]
-
-[[bin]]
-name = "graph_perf"
-required-features = ["historical-perf"]
-
 [[bench]]
 name = "handshake"
 harness = false

bindings/rust/bench/README.md

@@ -8,7 +8,7 @@ All benchmarks are run in an idealized environment, using only a single thread a
 
 ```
 # generate rust bindings
-../generate.sh
+../generate.sh --skip-tests
 
 # run all benchmarks
 cargo bench
@@ -36,37 +36,6 @@ Throughput benchmarks measure round-trip throughput with the client and server c
 
 To generate flamegraphs, run `cargo bench --bench handshake --bench throughput -- --profile-time 5`, which profiles each benchmark for 5 seconds and stores the resulting flamegraph in `target/criterion/[bench-name]/[lib-name]/profile/flamegraph.svg`.
 
-## Memory benchmarks
-
-To run all memory benchmarks, run `scripts/bench-memory.sh`. Graphs of memory usage will be generated in `images/`.
-
-Memory benchmark data is generated using the `memory` binary. Command line arguments can be given to `cargo run` or to the built executable located at `target/release/memory`. The usage is as follows:
-
-```
-memory [(pair|client|server)] [(s2n-tls|rustls|openssl)] [--reuse-config (true|false)] [--shrink-buffers (true|false)]
-```
-
-- `(pair|client|server)`: target to memory bench, defaults to `server`
-- `(s2n-tls|rustls|openssl)`: library to be benched, if unset benches all libraries
-- `--reuse-config`: if `true` (default), reuse configs between connections
-- `--shrink-buffers`: if `true` (default), shrink buffers owned by connections
-
-To view a callgraph of memory usage, use [KCachegrind](https://github.com/KDE/kcachegrind) on `xtree.out` generated from memory benching:
-
-```
-kcachegrind target/memory/<params>/<target>/<library>/xtree.out
-```
-
-To view a flamegraph of memory usage, use [heaptrack](https://github.com/KDE/heaptrack) with `heaptrack_gui` also installed. Run heaptrack with the `memory` executable and target/library options:
-
-```
-heaptrack target/release/memory (pair|client|server) (s2n-tls|rustls|openssl)
-```
-
-## Historical benchmarks
-
-To do historical benchmarks, run `scripts/bench-past.sh`. This will checkout old versions of s2n-tls back to v1.3.16 in `target/` and run benchmarks on those with the `historical-perf` feature, disabling Rustls and OpenSSL benches.
-
 ## PKI Structure
 ```
    ┌────root──────┐
@@ -88,21 +57,6 @@ The last version benched is v1.3.16, since before that, the s2n-tls Rust binding
 
 v1.3.30-1.3.37 are not benched because of dependency issues when generating the Rust bindings. However, versions before and after are benched, so the overall trend in performance can still be seen without the data from these versions.
 
-### Sample output
-
-Because these benches take a longer time to generate (>30 min), we include the results from historical benching (as of v1.3.47) here.
-
-Notes:
-- Two sets of parameters for the handshake couldn't be benched before 1.3.40, since security policies that negotiated those policies as their top choice did not exist before then.
-- There is no data from 1.3.30 to 1.3.37 because those versions have a dependency issue that cause the Rust bindings not to build. However, there is data before and after that period, so the performance for those versions can be inferred via interpolation.
-- The improvement in throughput in 1.3.28 was most likely caused by the addition of LTO to the default Rust bindings build.
-- Since the benches are run over a long time, noise on the machine can cause variability, and background processes can cause spikes.
-- The variability can be seen with throughput especially because it is calculated as the inverse of time taken.
-
-![historical-perf-handshake](images/historical-perf-handshake.svg)
-
-![historical-perf-throughput](images/historical-perf-throughput.svg)
-
 ## Implementation details
 
 We use Rust bindings for s2n-tls and OpenSSL. All of our benchmarks are run in Rust on a single thread for consistency.

bindings/rust/bench/benches/handshake.rs

@@ -1,13 +1,10 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-#[cfg(feature = "openssl")]
-use bench::OpenSslConnection;
-#[cfg(feature = "rustls")]
-use bench::RustlsConnection;
 use bench::{
     harness::TlsBenchConfig, CipherSuite, ConnectedBuffer, CryptoConfig, HandshakeType, KXGroup,
-    Mode, S2NConnection, SigType, TlsConnPair, TlsConnection, PROFILER_FREQUENCY,
+    Mode, OpenSslConnection, RustlsConnection, S2NConnection, SigType, TlsConnPair, TlsConnection,
+    PROFILER_FREQUENCY,
 };
 use criterion::{
     criterion_group, criterion_main, measurement::WallTime, BatchSize, BenchmarkGroup, Criterion,
@@ -27,25 +24,20 @@ fn bench_handshake_for_library<T>(
 {
     // make configs before benching to reuse
     let crypto_config = CryptoConfig::new(CipherSuite::default(), kx_group, sig_type);
-    let client_config = T::Config::make_config(Mode::Client, crypto_config, handshake_type);
-    let server_config = T::Config::make_config(Mode::Server, crypto_config, handshake_type);
+    let client_config =
+        T::Config::make_config(Mode::Client, crypto_config, handshake_type).unwrap();
+    let server_config =
+        T::Config::make_config(Mode::Server, crypto_config, handshake_type).unwrap();
 
     // generate all harnesses (TlsConnPair structs) beforehand so that benchmarks
     // only include negotiation and not config/connection initialization
     bench_group.bench_function(T::name(), |b| {
         b.iter_batched_ref(
             || -> Result<TlsConnPair<T, T>, Box<dyn Error>> {
-                if let (Ok(client_config), Ok(server_config)) =
-                    (client_config.as_ref(), server_config.as_ref())
-                {
-                    let connected_buffer = ConnectedBuffer::default();
-                    let client =
-                        T::new_from_config(client_config, connected_buffer.clone_inverse())?;
-                    let server = T::new_from_config(server_config, connected_buffer)?;
-                    Ok(TlsConnPair::wrap(client, server))
-                } else {
-                    Err("invalid configs".into())
-                }
+                let connected_buffer = ConnectedBuffer::default();
+                let client = T::new_from_config(&client_config, connected_buffer.clone_inverse())?;
+                let server = T::new_from_config(&server_config, connected_buffer)?;
+                Ok(TlsConnPair::wrap(client, server))
             },
             |conn_pair| {
                 // harnesses with certain parameters fail to initialize for
@@ -67,14 +59,12 @@ fn bench_handshake_with_params(
     sig_type: SigType,
 ) {
     bench_handshake_for_library::<S2NConnection>(bench_group, handshake_type, kx_group, sig_type);
-    #[cfg(feature = "rustls")]
     bench_handshake_for_library::<RustlsConnection>(
         bench_group,
         handshake_type,
         kx_group,
         sig_type,
     );
-    #[cfg(feature = "openssl")]
     bench_handshake_for_library::<OpenSslConnection>(
         bench_group,
         handshake_type,