Merge branch 'main' into AlpnCommentary

.github/workflows/ci.yml

@@ -6,7 +6,7 @@ on:
       - 'main'
 
 env:
-  BUILDER_VERSION: v0.9.48
+  BUILDER_VERSION: v0.9.57
   BUILDER_SOURCE: releases
   BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net
   PACKAGE_NAME: aws-c-io
@@ -147,3 +147,41 @@ jobs:
         python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
         chmod a+x builder
         ./builder build -p ${{ env.PACKAGE_NAME }}
+
+  freebsd:
+    runs-on: ubuntu-22.04  # latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build ${{ env.PACKAGE_NAME }} + consumers
+        id: test
+        uses: cross-platform-actions/[email protected]
+        with:
+          operating_system: freebsd
+          architecture: x86-64
+          version: '14.0'
+          cpu_count: 4
+          shell: bash
+          run: |
+            sudo pkg install -y python3 py39-urllib3
+            python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
+            chmod a+x builder
+            ./builder build -p ${{ env.PACKAGE_NAME }}
+
+  openbsd:
+    runs-on: ubuntu-22.04 # latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build ${{ env.PACKAGE_NAME }} + consumers
+        id: test
+        uses: cross-platform-actions/[email protected]
+        with:
+          operating_system: openbsd
+          architecture: x86-64
+          version: '7.4'
+          cpu_count: 4
+          shell: bash
+          run: |
+            sudo pkg_add py3-urllib3
+            python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
+            chmod a+x builder
+            ./builder build -p ${{ env.PACKAGE_NAME }}

CMakeLists.txt

@@ -95,7 +95,7 @@ if (WIN32)
     #platform libs come from aws-c-common transitively, so we don't specify them here, but for documentation purposes,
     #Kernel32 and wsock2 are pulled in automatically. Here we add the lib containing the schannel API.
     #Also note, you don't get a choice on TLS implementation for Windows.
-    set(PLATFORM_LIBS Secur32 Crypt32)
+    set(PLATFORM_LIBS secur32 crypt32)
 elseif (CMAKE_SYSTEM_NAME STREQUAL "Linux" OR CMAKE_SYSTEM_NAME STREQUAL "Android")
     option(USE_VSOCK
 	    "Build in support for VSOCK sockets"

NOTICE

@@ -1,3 +1,5 @@
 AWS C Io
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0.
+
+The source/pkcs11/v2.40/pkcs11.h header file is based on Public Domain content from https://github.com/latchset/pkcs11-headers

builder.json

@@ -5,7 +5,7 @@
         { "name": "aws-c-cal" },
         {
             "name": "s2n",
-            "targets": ["linux", "android"]
+            "targets": ["linux", "android", "freebsd", "openbsd"]
         }
     ],
     "downstream": [

include/aws/io/channel.h

@@ -54,6 +54,8 @@ struct aws_channel_handler_vtable {
     /**
      * Called by the channel when a message is available for processing in the read direction. It is your
      * responsibility to call aws_mem_release(message->allocator, message); on message when you are finished with it.
+     * You must only call `aws_mem_release(message->allocator, message);` if the `process_read_message`
+     * returns AWS_OP_SUCCESS. In case of an error, you must not clean up the message and should just raise the error.
      *
      * Also keep in mind that your slot's internal window has been decremented. You'll want to call
      * aws_channel_slot_increment_read_window() at some point in the future if you want to keep receiving data.
@@ -65,6 +67,8 @@ struct aws_channel_handler_vtable {
     /**
      * Called by the channel when a message is available for processing in the write direction. It is your
      * responsibility to call aws_mem_release(message->allocator, message); on message when you are finished with it.
+     * You must only call `aws_mem_release(message->allocator, message);` if the `process_read_message`
+     * returns AWS_OP_SUCCESS. In case of an error, you must not clean up the message and should just raise the error.
      */
     int (*process_write_message)(
         struct aws_channel_handler *handler,

include/aws/io/tls_channel_handler.h

@@ -675,7 +675,8 @@ AWS_IO_API void aws_tls_connection_options_init_from_ctx(
 AWS_IO_API void aws_tls_connection_options_clean_up(struct aws_tls_connection_options *connection_options);
 
 /**
- * Copies 'from' to 'to'
+ * Cleans up 'to' and copies 'from' to 'to'.
+ * 'to' must be initialized.
  */
 AWS_IO_API int aws_tls_connection_options_copy(
     struct aws_tls_connection_options *to,
@@ -803,18 +804,6 @@ AWS_IO_API struct aws_tls_ctx *aws_tls_ctx_acquire(struct aws_tls_ctx *ctx);
  */
 AWS_IO_API void aws_tls_ctx_release(struct aws_tls_ctx *ctx);
 
-/**
- * Not necessary if you are installing more handlers into the channel, but if you just want to have TLS for arbitrary
- * data and use the channel handler directly, this function allows you to write data to the channel and have it
- * encrypted.
- */
-AWS_IO_API int aws_tls_handler_write(
-    struct aws_channel_handler *handler,
-    struct aws_channel_slot *slot,
-    struct aws_byte_buf *buf,
-    aws_channel_on_message_write_completed_fn *on_write_completed,
-    void *completion_user_data);
-
 /**
  * Returns a byte buffer by copy of the negotiated protocols. If there is no agreed upon protocol, len will be 0 and
  * buffer will be NULL.

source/channel.c

@@ -743,7 +743,7 @@ int aws_channel_slot_insert_end(struct aws_channel *channel, struct aws_channel_
     }
 
     AWS_ASSERT(0);
-    return AWS_OP_ERR;
+    return aws_raise_error(AWS_ERROR_INVALID_STATE);
 }
 
 int aws_channel_slot_insert_left(struct aws_channel_slot *slot, struct aws_channel_slot *to_add) {

source/darwin/darwin_pki_utils.c

@@ -101,12 +101,8 @@ int aws_import_public_and_private_keys_to_identity(
 
     int result = AWS_OP_ERR;
 
-    CFDataRef cert_data = CFDataCreate(cf_alloc, public_cert_chain->ptr, public_cert_chain->len);
-    CFDataRef key_data = CFDataCreate(cf_alloc, private_key->ptr, private_key->len);
-
-    if (!cert_data || !key_data) {
-        return aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
-    }
+    CFDataRef cert_data = NULL;
+    CFDataRef key_data = NULL;
 
     CFArrayRef cert_import_output = NULL;
     CFArrayRef key_import_output = NULL;
@@ -118,9 +114,26 @@ int aws_import_public_and_private_keys_to_identity(
     import_params.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
     import_params.passphrase = CFSTR("");
 
+    struct aws_array_list cert_chain_list;
+    AWS_ZERO_STRUCT(cert_chain_list);
+    CFDataRef root_cert_data = NULL;
     SecCertificateRef certificate_ref = NULL;
     SecKeychainRef import_keychain = NULL;
 
+    cert_data = CFDataCreate(cf_alloc, public_cert_chain->ptr, public_cert_chain->len);
+    if (!cert_data) {
+        AWS_LOGF_ERROR(AWS_LS_IO_PKI, "static: failed creating public cert chain data.");
+        result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
+        goto done;
+    }
+
+    key_data = CFDataCreate(cf_alloc, private_key->ptr, private_key->len);
+    if (!key_data) {
+        AWS_LOGF_ERROR(AWS_LS_IO_PKI, "static: failed creating private key data.");
+        result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
+        goto done;
+    }
+
 #    pragma clang diagnostic push
 #    pragma clang diagnostic ignored "-Wdeprecated-declarations"
     /* SecKeychain functions are marked as deprecated.
@@ -134,7 +147,8 @@ int aws_import_public_and_private_keys_to_identity(
                 "static: error opening keychain \"%s\" with OSStatus %d",
                 aws_string_c_str(keychain_path),
                 keychain_status);
-            return AWS_OP_ERR;
+            result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
+            goto done;
         }
         keychain_status = SecKeychainUnlock(import_keychain, 0, "", true);
         if (keychain_status != errSecSuccess) {
@@ -143,14 +157,16 @@ int aws_import_public_and_private_keys_to_identity(
                 "static: error unlocking keychain \"%s\" with OSStatus %d",
                 aws_string_c_str(keychain_path),
                 keychain_status);
-            return AWS_OP_ERR;
+            result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
+            goto done;
         }
     } else {
         OSStatus keychain_status = SecKeychainCopyDefault(&import_keychain);
         if (keychain_status != errSecSuccess) {
             AWS_LOGF_ERROR(
                 AWS_LS_IO_PKI, "static: error opening the default keychain with OSStatus %d", keychain_status);
-            return AWS_OP_ERR;
+            result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
+            goto done;
         }
     }
 
@@ -168,9 +184,6 @@ int aws_import_public_and_private_keys_to_identity(
     OSStatus key_status =
         SecItemImport(key_data, NULL, &format, &item_type, 0, &import_params, import_keychain, &key_import_output);
 
-    CFRelease(cert_data);
-    CFRelease(key_data);
-
     if (cert_status != errSecSuccess && cert_status != errSecDuplicateItem) {
         AWS_LOGF_ERROR(AWS_LS_IO_PKI, "static: error importing certificate with OSStatus %d", (int)cert_status);
         result = aws_raise_error(AWS_IO_FILE_VALIDATION_FAILURE);
@@ -201,49 +214,56 @@ int aws_import_public_and_private_keys_to_identity(
             AWS_LS_IO_PKI,
             "static: certificate has an existing certificate-key pair that was previously imported into the Keychain.  "
             "Using key from Keychain instead of the one provided.");
-        struct aws_array_list cert_chain_list;
-
         if (aws_pem_objects_init_from_file_contents(&cert_chain_list, alloc, *public_cert_chain)) {
             AWS_LOGF_ERROR(AWS_LS_IO_PKI, "static: decoding certificate PEM failed.");
-            aws_pem_objects_clean_up(&cert_chain_list);
             result = AWS_OP_ERR;
             goto done;
         }
 
         struct aws_pem_object *root_cert_ptr = NULL;
         aws_array_list_get_at_ptr(&cert_chain_list, (void **)&root_cert_ptr, 0);
         AWS_ASSERT(root_cert_ptr);
-        CFDataRef root_cert_data = CFDataCreate(cf_alloc, root_cert_ptr->data.buffer, root_cert_ptr->data.len);
-
-        if (root_cert_data) {
-            certificate_ref = SecCertificateCreateWithData(cf_alloc, root_cert_data);
-            CFRelease(root_cert_data);
+        root_cert_data = CFDataCreate(cf_alloc, root_cert_ptr->data.buffer, root_cert_ptr->data.len);
+        if (!root_cert_data) {
+            AWS_LOGF_ERROR(AWS_LS_IO_PKI, "static: failed creating root cert data.");
+            result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
+            goto done;
         }
 
-        aws_pem_objects_clean_up(&cert_chain_list);
+        certificate_ref = SecCertificateCreateWithData(cf_alloc, root_cert_data);
+        if (!certificate_ref) {
+            AWS_LOGF_ERROR(AWS_LS_IO_PKI, "static: failed to create certificate.");
+            result = aws_raise_error(AWS_IO_FILE_VALIDATION_FAILURE);
+            goto done;
+        }
     } else {
         certificate_ref = (SecCertificateRef)CFArrayGetValueAtIndex(cert_import_output, 0);
         /* SecCertificateCreateWithData returns an object with +1 retain, so we need to match that behavior here */
         CFRetain(certificate_ref);
     }
 
-    /* if we got a cert one way or the other, create the identity and return it */
-    if (certificate_ref) {
-        SecIdentityRef identity_output;
-        OSStatus status = SecIdentityCreateWithCertificate(import_keychain, certificate_ref, &identity_output);
-        if (status == errSecSuccess) {
-            CFTypeRef certs[] = {identity_output};
-            *identity = CFArrayCreate(cf_alloc, (const void **)certs, 1L, &kCFTypeArrayCallBacks);
-            result = AWS_OP_SUCCESS;
-            goto done;
-        }
+    /* we got a cert one way or the other, create the identity and return it */
+    AWS_ASSERT(certificate_ref);
+    SecIdentityRef identity_output;
+    OSStatus status = SecIdentityCreateWithCertificate(import_keychain, certificate_ref, &identity_output);
+    if (status != errSecSuccess) {
+        AWS_LOGF_ERROR(AWS_LS_IO_PKI, "static: error creating identity with OSStatus %d", key_status);
+        result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
+        goto done;
     }
 
+    CFTypeRef certs[] = {identity_output};
+    *identity = CFArrayCreate(cf_alloc, (const void **)certs, 1L, &kCFTypeArrayCallBacks);
+    result = AWS_OP_SUCCESS;
+
 done:
     aws_mutex_unlock(&s_sec_mutex);
     if (certificate_ref) {
         CFRelease(certificate_ref);
     }
+    if (root_cert_data) {
+        CFRelease(root_cert_data);
+    }
     if (cert_import_output) {
         CFRelease(cert_import_output);
     }
@@ -253,6 +273,13 @@ int aws_import_public_and_private_keys_to_identity(
     if (import_keychain) {
         CFRelease(import_keychain);
     }
+    if (cert_data) {
+        CFRelease(cert_data);
+    }
+    if (key_data) {
+        CFRelease(key_data);
+    }
+    aws_pem_objects_clean_up(&cert_chain_list);
 
     return result;
 }