Add more getters for metrics#538
Merged
Merged
Conversation
mansi153
approved these changes
Jul 18, 2025
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #538 +/- ##
==========================================
- Coverage 89.51% 88.66% -0.85%
==========================================
Files 21 21
Lines 6589 6652 +63
==========================================
Hits 5898 5898
- Misses 691 754 +63
🚀 New features to boost your workflow:
|
sbiscigl
approved these changes
Jul 18, 2025
github-merge-queue Bot
pushed a commit
to awslabs/mountpoint-s3
that referenced
this pull request
Oct 14, 2025
Update the CRT submodules to the latest releases. Changes of note to us: - Updates of S3 endpoint rules - New metric getters for CRT awslabs/aws-c-s3#538 <details> <summary>Full CRT changelog:</summary> ``` a0e41c1 Update CRT submodules to latest releases Submodule mountpoint-s3-crt-sys/crt/aws-c-auth cd9d6afc..ab03bdd9: > Fix sts_web_identity credentials provider (#275) > change stale issue and discussion handling to run once a week (#273) > Remove Windows 2019 and add Windows 2025 with MSVC-17 (#271) > Remove clang-3 from CI (#270) > make exports consistent (#269) Submodule mountpoint-s3-crt-sys/crt/aws-c-cal 8703b3e5..cdd052bf: > Fix cmake4 macos builds (#226) > change stale issue and discussion handling to run once a week (#222) > Remove Windows 2019 and add Windows 2025 with MSVC-17 (#220) Submodule mountpoint-s3-crt-sys/crt/aws-c-common 2b67a658..31578beb: > Import latest CJSON and libcbor. (#1223) > Add support for direct IO read from file. (#1217) > aws_explicit_aligned_allocator_new (#1147) > change stale issue and discussion handling to run once a week (#1216) Submodule mountpoint-s3-crt-sys/crt/aws-c-http bfa03928..ce0d6562: > [fix] failed to compile on FreeBSD (#527) Submodule mountpoint-s3-crt-sys/crt/aws-c-io 12cb9f9c..8906a02c: > Default to PQ TLS for s2n handlers if TLSv1.3 is negotiated (#740) > (Darwin) Fix leak on setting unsupported cipher pref (#757) > Serialized scheduling (#754) > Fix win build when lean and mean specified (#755) > Fix a memory leak from error handling in s2n tls hanlder. (#753) > Scheduled Iteration Mem-release Order (#752) > Fix Dispatch Queue Leak (#750) > Fix memory leaks in NW socket (#749) > Fix warnings found by the Undefined Behavior Sanitizer (#748) > change stale issue and discussion handling to run once a week (#747) > aws_parse_ipv4/6_address (#745) Submodule mountpoint-s3-crt-sys/crt/aws-c-s3 70aacd2d..332dd22c: > update the default behaviors on the fio options (#577) > disable the threshold until we have better options (#574) > Auto - Update S3 Ruleset & Partition (#572) > File streaming support (#564) > Auto - Update S3 Ruleset & Partition (#561) > Auto - Update S3 Ruleset & Partition (#555) > Fix recording of early request metrics (#542) > [fix] retry with checksum result in failure (#543) > change stale issue and discussion handling to run once a week (#541) > Revamp checksum - retry will reuse the checksum (#532) > Add more getters for metrics (#538) Submodule mountpoint-s3-crt-sys/crt/aws-lc 8b4e504c..8ca0b29b: > Prepare 1.61.4 (#2717) > Check compiler for 'linux/random.h' (#2716) > Fixes for android CI tests (#2713) > Migrate Linux ARM omnibus (#2711) > Migrate linux-x86 jobs to self-hosted runners (#2708) > Pin PyCA version in python integration tests (#2706) > Prepare v1.61.3 (#2705) > CodeBuild GitHub Actions Runner Project (#2704) > Remove jitter entropy tests folder (#2702) > Prepare v1.61.2 (#2699) > Windows/MSBuild doesn't provide 'all' target (#2697) > Fix illumos/OpenSolaris (#2698) > Fix test issues with run_minimal_tests (#2695) > Fix build when path has spaces (#2696) > Update Android CI config (#2687) > Prepare v1.61.1 (#2685) > Support FIPS build for Windows/ARM64 (#2688) > Fix duplicate test names in CodeBuild integration tests (#2686) > More arm64 CI tests (#2674) > Use /FI for MSVC forced-includes (#2684) > Prepare AWS-LC v1.61.0 (#2681) > Make X509 CodeBuild webhook more resilient (#2680) > Use CheckCCompilerFlag to test -Wno-cast-function-type (#2678) > fix: Allow zero-length passwords in PEM key decryption (#2677) > Test ACCP in FIPS mode as well as non-FIPS (#2669) > Wrap compiler when FIPS w/ clang v20+ (#2671) > Increase SSLBuffer size to INT_MAX (#2673) > Fix Keccak MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX flag (#2670) > Add AES-XTS AArch64 implementation that will eventually be imported from s2n-bignum. (#2632) > ML-DSA service indicator (#2666) > Update SSLProxy patch (#2663) > Fix for zig build (#2668) > Fix typo in ssl_transfer_asn1 (#2665) > Re-import mlkem-native for addition of CFI directives (#2659) > Refactor iOS CI script (#2637) > Import s2n-bignum 2025-09-05-04 (#2667) > Rand small fixes (#2664) > Implement snapsafe fallback entropy source (#2651) > Address clang-ci comments on new x509 code (#2662) > Merge x509 branch into main (#2660) > Fix ternary operator in github workflow (#2653) > TLS Transfer Serialization Improvements (#2616) > Document and statically assert counters can't overflow (#2658) > Add standalone MLKEM supported groups (#2589) > Fix benchmarking issues with FIPS main (#2655) > Update CPU Jitter Entropy dependency to version 3.6.3 (#2654) > Add x86 Keccak implementation (#2619) > Add expandedKey ASN.1 encoding for KEM keys (#2624) > Prepare for v1.60.0 release (#2649) > Implement ragdoll (#2615) > Fix macOS FIPS build w/ clang-20 (#2645) > Migrate from CodeBuild account actor filter to pull request comment filter based on GitHub permissions (#2644) > Implement read/write timeouts for BIO datagram (#2610) > Anchor CodeBuild account-id patterns (#2641) > Prepare release v1.59.0 (#2643) > ML-KEM: Fix mlkem-native importer.sh (#2635) > Remove BIT_INTERLEAVE support (#2628) > X509_REQ_verify for MLDSA44 and MLDSA87 (#2636) > Add CFI directives in md5-armv8.pl (#2627) > Add CMake Configure pre-push checker (#2596) > ML-KEM: import and enable x86_64 backend from mlkem-native (#2631) > Fix Bind9 CI test (#2629) > ML-KEM: Re-import mlkem-native (#2630) > Fix MariaDB integration test (#2625) > Fix clang-21 compile error (#2623) > Apache httpd integration test (#2614) > Allow prasden ci (#2621) > Add back RC4_options from decrepit (#2618) > Add CFI directives to armv8-mont (#2584) > Support other field for PKCS7 (#2603) > Prepare release v1.58.1 (#2609) > Add support for EVP_PKEY_param_check (#2611) > Move check-linkage.sh to util (#2608) > Prepare release v1.58.0 (#2607) > ML-DSA constant-time hardening for caddq, poly_chknorm, decompose (#2602) > Implement SSL_set_verify_result (#2576) > Impl `SSL_client_hello_get1_extensions_present` and friends (#2561) > target.h: more clearly check for ppc64 endianness (#2604) > Add optimized + verified hybrid AArch64 assembly for batched SHA3/SHAKE (#2600) > Migrate MSVC tests to CodeBuild (#2583) > Fix Win64 unwind info alignment (#2559) > Rewrite 4-fold batched SHAKE to be amenable to batched Keccak-F1600 assembly (#2598) > Add EVP_PKEY_check and EVP_PKEY_public_check (#2565) > Resolve issue with conflicting pkg-config variables (#2601) > Prepare v1.57.0 release (#2593) > Fix nixfmt CI failure (#2588) > Add a couple more no-ops for legacy builds (#2590) > (Experimental) Add SONAME Support to AWS-LC (#2546) > Integrate formally verified AArch64 Keccak-x1 assembly from s2n-bignum/mlkem-native (#2539) > Re-import s2n-bignum after merge of ML-KEM/Keccak functionality (#2595) > Add production stage to CI pipeline (#2483) > Bump tokio from 1.39.3 to 1.43.1 in /tests/ci/lambda (#2552) > Add HMAC SHA3 benchmarks (#2513) > Migrate Openssl-tool parameter parsing (#2501) > ABI monitoring GitHub workflow improvements (#2574) > Reimplement SSL_clear_num_renegotiations (#2586) > Return NULL when a NULL or empty string is passed to NETSCAPE_SPKI_b64_decode. (#2580) > Fix Libwebsocket Build (#2568) > Explicitly test that input length is as expected for ed25519ph (#2585) > Add back X509_STORE_get_verify_cb and X509_STORE_set_lookup_crls_cb (#2581) > Update Windows Docker images (#2579) > ML-KEM: Import AArch64 backend from mlkem-native (#2498) > Offer P521 for signature_algorithms in client Hello (#2572) > Renable NSym CI (#2570) > Bump MySQL version tag to 9.4.0 (#2571) > Update bind9 CI test to use meson (#2562) > Prepare AWS-LC v1.56.0 (#2563) > Revert "Implement SSL_set_verify_result (#2526)" (#2569) > Implement SSL_set_verify_result (#2526) > Remove nsym-related CI (#2566) > Document non-support of TLS 1.3 PHA (#2560) > Pull in SSL_get_negotiated_group and TLSEXT_nid_unknown from upstream (#2558) > tool-openssl: Fix warning 'strnlen' specified bound 4096 exceeds source size 128 (#2556) > Implement SSL_CTX_set_client_hello_cb for ClientHello callback (#2490) > Prepare Docker images for upcoming CI changes (#2475) > docs: Add FIPS documentation to BUILDING.md and README.md (#2387) > CI for mingw64 and ucrt64 w/ msys2 (#2502) > Add missing x509 CI to list of tests (#2548) > Dynamically link AWS-LC in cpython integration tests (#2545) > Align -help return codes in tool-openssl CLI to match Openssl (#2543) > Add LC contributors to allowlist (#2547) > Minimize the nginx patch even further (#2537) > Fix python main diff after upstream PR 135402 merge (#2542) > Use SP 800-56Arev3 Section 5.6.2.1.4.b instead of ECDSA PCT method (#2536) > Fix PKCS12 Error Code (#2538) > Improve OpenSSL compatibility (#2540) > Add pkey command to CLI tool (#2519) > Add prikhap to allow list for CI (#2533) > cpu_ppc64le.c: fix build on FreeBSD (#2520) > Export BF_cfb64_encrypt (#2525) > Implement pkcs8 cli (#2342) > fix: Update Clang version from 18 to 19 in Windows workflow (#2529) > ci: Add GitHub user ID 159580656 to CI allowlist (#2530) > Remove redundant conditions (#2523) > Remove obsolete python main patch (#2522) > Export BIO_f_md for consumers (#2515) > Prepare AWS-LC v1.55.0 (#2521) > s2n-bignum: Add prefix header to _s2n_bignum_internal.h (#2510) > Silence GCC 15 warning for uninitialized variable (#2517) > Rework memory BIOs and implement BIO_seek (3rd try) (#2472) > Temporarily allowlist the webhook actors to AWS-LC (#2514) > Implement HMAC over SHA3 truncated variants (#2484) > Add SSL_CTRL defines for SSL_*_tlsext_status_type (#2496) > Release v1.54.0 (#2511) > Intentionally redefine iovec in headers as CI (#2512) > Add two new APIs to expose TLS 1.3 traffic secrets for kTLS (#2506) > rwlock race tests is not a GoogleTest executable (#2509) > Remove sys headers from bio.h (#2508) > Document that EVP_PKEY_CTX_set_rsa_keygen_pubexp takes ownership (#2503) > Note a couple of typoed struct names that we'll leave alone. (#2499) > Re-remove afunix.h (#2495) > Fix Console Test Suite Execution Locally (#2493) > Order tool output by options provided - x509 (#2454) > Rename SSL test files to match Scrutinice filter (#2491) Submodule mountpoint-s3-crt-sys/crt/s2n-tls 1c5798b8..30f40f23: > feat: Add key update to ktls feature (#5484) > ci: remove duplicate buildspec (#5228) > chore(ci): add sanitizer jobs for openssl-1.0.2-fips (#5508) > chore(ci): add openssl-1.0.2-fips gcc-4.8 job (#5512) > ci: pin libloading which requires MSRV 1.71 (#5520) > chore(ci): Update older integ job to prep for deprecation (#5501) > chore: delete files in preparation for refactor (#5517) > ci: fix clippy (#5516) > build(deps): bump the all-gha-updates group in /.github/workflows with 4 updates (#5497) > chore: bindings release 0.3.26 (#5509) > test: Adds test for serializing a previously-serialized connection (#5495) > test(integv2): trim bloated cases (#5453) > docs(usage guide): description connection serialization (#5504) > feat: add async public key support (#5473) > ci: only use git fetch for nix jobs (#5506) > chore(nix): Flip awslc to upstream flake. (#5317) > chore: bump instance size for Valgrind (#5500) > feat: basic security policy builder interface (#5493) > refactor: move new default policies to separate file (#5492) > chore: pin to older pytest-rerunfailures (#5494) > feat: 'latest' option for strict policy (#5488) > build(deps): bump nixbuild/nix-quick-install-action from 32 to 33 in /.github/workflows in the all-gha-updates group (#5487) > feat(integration): add utilities for capability assertions (#5475) > feat: add pure mlkem_1024 definition (#5468) > fix: no server signature scheme expected with rsa kex (#5481) > refactor(tls-harness): avoid implicit shutdown of ossl connection (#5474) > Fix HKDF on big-endian (#5478) > feat: add method to get signature scheme name (#5471) > refactor: signature scheme name adjustment (#5472) > ci: tweak ruff ci failure message (#5485) > chore(release): release s2n-tls v0.3.25 (#5486) > chore(nix): switch to nixpkgs libressl (#5467) > build(deps): bump the all-gha-updates group across 1 directory with 3 updates (#5479) > chore: Adds build file to get new codebuild project running in CI (#5476) > chore(nix): Move nix integ jobs to ec2 fleets (#5461) > Add TLSv1.3 (classical + PQ) policies for CloudFront Upstream (#5460) > refactor: setup replacement default policies (#5464) > ci: fix wikipedia network test + better error message (#5470) > ci: don't include tls/extensions in SAW build (#5466) > refactor(stuffer): Rename s2n_stuffer_has_pem_encapsulated_block (#5465) > test(integration): add record padding test (#5451) > Add fixed version of the rfc9151 policy (#5277) > chore: apply clippy fixes (#5459) > chore: bindings release 0.3.24 (#5455) > refactor(tls-harness): separate benchmark abstractions (#5444) > chore(ci): once a week, clean the nix store for the kTLS job. (#5430) > Add AWS-CRT-SDK-TLSv1.0-2025-PQ (#5403) > chore(ci): tell crt to not check submodule version (#5450) > build(deps): update criterion requirement from 0.6 to 0.7 in /bindings/rust/standard (#5442) > fix(typo): fix a typo in codebuild.yml (#5445) > feat: add integration test for secp384r1_mlkem_1024 (#5438) > chore: add Awslc fips next to CI (#5349) > ci: document how to manually run the codebuild jobs (#5441) > chore: bindings release 0.3.23 (#5439) > test(bench): add api for mutual auth handshake (#5437) > refactor(bench): unify IO methods (#5434) > build(deps): bump cross-platform-actions/action from 0.28.0 to 0.29.0 in /.github/workflows in the all-gha-updates group (#5435) > feature: update default_pq to support secp384r1_mlkem_1024 (#5433) > chore: Nix Corretto version bump/upstream (#5427) > feat(bench): add generic shutdown functionality (#5426) > feat: add secp384r1_mlkem_1024 kem group (#5395) > ci: run rustfmt/clippy on standard crates (#5333) > docs(aws-kms-tls-auth): clarify security impact of failure modes (#5424) > docs(aws-kms-tls-auth): add readme (#5409) > ci: require repo write permissions for codebuild (#5421) > feat(aws-kms-tls-auth): add provider & receiver structs (#5408) > Flip Nix integration tests to use uv/pytest (#5352) > feat: add ML-KEM-1024 kem definition (#5367) > feat(aws-kms-tls-auth): add psk identity (#5402) > ci: Migrate Duvet GitHub Action to duvet-action repo (#5400) > ci: start codebuild jobs from github actions (#5383) > feat(aws-kms-tls-auth): add codec and parsing (#5398) > docs: note that s2n_shutdown may keep reading (#5370) > chore: release 0.3.22 (#5397) > fix(ci): adding set -e to prevent nix develop to hide failing tests (#5393) > feature: new TLS1.2 + FIPS CRT security policy (#5375) > chore: apply clippy and fmt fixes (#5386) > fix: policy util should ignore deprecated TLS1.2 kems if missing (#5372) > build(deps): bump nixbuild/nix-quick-install-action from 31 to 32 in /.github/workflows in the all-gha-updates group (#5371) > build(deps): bump nixbuild/nix-quick-install-action from 30 to 31 in /.github/workflows in the all-gha-updates group (#5366) > tests(integ): add more debug logging (#5363) > tests(integv2): fix flaky session resumption test (#5362) > build(deps): bump baptiste0928/cargo-install from 3.3.0 to 3.3.1 in /.github/workflows in the all-gha-updates group (#5361) > build: prevent needless rebuild with S2N_INTERN_LIBCRYPTO=ON and Ninja (#5356) > Include application message in Debug impl (#5359) > ci: Fix the sslyze test for nix (#5283) > refactor(examples): remove connection pool (#5353) > build(deps): update pprof requirement from 0.14 to 0.15 in /bindings/rust/standard (#5334) > chore(ci): add a cargo timing buildspec (#5176) > fix: do not use "digest and sign" for ML-DSA in FIPS mode (#5348) > ci: workaround for nix + gnutls + ubuntu24 issue (#5345) > chore: Bindings release 0.3.20 (#5344) > tests(integ): fix nondeterministic ocsp test shutdown behavior (#5340) > feat(bindings): expose custom critical extension API (#5337) > chore(ci): Pin parking_lot_core, lock_api (#5338) > ci: Use official libcrypto verification model repository (#5336) > feat: add custom critical extension support (#5321) > fix(benches): reuse config for handshakes (#5319) > chore: bindings release 0.3.20 (#5332) > CertificateRequest Rust bindings (#5331) > Add CertificateRequest certificate selection callback (#5318) > build(deps): bump the all-gha-updates group across 1 directory with 3 updates (#5315) > feat(examples): add key log example (#5314) > Remove unused negotiate_kem function causing build failure (#5316) > chore: Bump nixpkgs version to 24.11 (#5294) > tests: policy snapshot test (#5309) > fix(benches): use session ticket for resumption (#5305) > feature: release ML-DSA support (#5307) > feature: support for ML-DSA handshake signatures (#5303) > tests: turn verbose mode off by default in integ tests (#5286) > Revert "build: add pull requests limit for dependabot" (#5302) > chore: Update Apache test certificates from RSA1024 to RSA2048 (#5285) > feature: add crypto support for mldsa signing (#5272) > refactor: remove conn->client_hello_version (#5278) > build(deps): unpin test-log because of MSRV updates (#5300) > build: add pull requests limit for dependabot (#5299) > chore: bindings release 0.3.19 (#5298) > build(deps): update strum requirement from 0.25 to 0.27 in /bindings/rust/standard (#5292) > build(deps): update test-log-macros requirement from =0.2.14 to =0.2.17 in /bindings/rust/standard (#5290) > feat: Add `as_ptr()` API for Config (#5274) > tests: reduce integ test flakiness + improve debugability (#5282) > build(deps): update env_logger requirement from 0.10 to 0.11 in /bindings/rust/standard (#5296) > build(deps): bump aws-actions/configure-aws-credentials from 4.1.0 to 4.2.0 in /.github/workflows in the all-gha-updates group (#5297) > tests: fix flaky test_serialization (#5288) > chore: bump standard MSRV to 1.82.0 (#5295) > chore: Add comments to track dependency requirements (#5287) > tests: improve coverage for s2n_stream_cipher_null (#5268) > build(deps): bump astral-sh/setup-uv from 5 to 6 in /.github/workflows in the all-gha-updates group (#5273) > chore: bindings release 0.3.18 (#5284) > ci: fix expectations when using system default libcrypto (#5279) > ci: handle 429 from yahoo.com network integ test (#5280) ``` </details> ### Does this change impact existing behavior? No. ### Does this change need a changelog entry? Does it require a version change? Added changelogs and ensured version changes are correct. --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and I agree to the terms of the [Developer Certificate of Origin (DCO)](https://developercertificate.org/). Signed-off-by: Daniel Carl Jones <djonesoa@amazon.com>
sahityadg
pushed a commit
to awslabs/mountpoint-s3
that referenced
this pull request
Oct 15, 2025
Update the CRT submodules to the latest releases. Changes of note to us: - Updates of S3 endpoint rules - New metric getters for CRT awslabs/aws-c-s3#538 <details> <summary>Full CRT changelog:</summary> ``` a0e41c1 Update CRT submodules to latest releases Submodule mountpoint-s3-crt-sys/crt/aws-c-auth cd9d6afc..ab03bdd9: > Fix sts_web_identity credentials provider (#275) > change stale issue and discussion handling to run once a week (#273) > Remove Windows 2019 and add Windows 2025 with MSVC-17 (#271) > Remove clang-3 from CI (#270) > make exports consistent (#269) Submodule mountpoint-s3-crt-sys/crt/aws-c-cal 8703b3e5..cdd052bf: > Fix cmake4 macos builds (#226) > change stale issue and discussion handling to run once a week (#222) > Remove Windows 2019 and add Windows 2025 with MSVC-17 (#220) Submodule mountpoint-s3-crt-sys/crt/aws-c-common 2b67a658..31578beb: > Import latest CJSON and libcbor. (#1223) > Add support for direct IO read from file. (#1217) > aws_explicit_aligned_allocator_new (#1147) > change stale issue and discussion handling to run once a week (#1216) Submodule mountpoint-s3-crt-sys/crt/aws-c-http bfa03928..ce0d6562: > [fix] failed to compile on FreeBSD (#527) Submodule mountpoint-s3-crt-sys/crt/aws-c-io 12cb9f9c..8906a02c: > Default to PQ TLS for s2n handlers if TLSv1.3 is negotiated (#740) > (Darwin) Fix leak on setting unsupported cipher pref (#757) > Serialized scheduling (#754) > Fix win build when lean and mean specified (#755) > Fix a memory leak from error handling in s2n tls hanlder. (#753) > Scheduled Iteration Mem-release Order (#752) > Fix Dispatch Queue Leak (#750) > Fix memory leaks in NW socket (#749) > Fix warnings found by the Undefined Behavior Sanitizer (#748) > change stale issue and discussion handling to run once a week (#747) > aws_parse_ipv4/6_address (#745) Submodule mountpoint-s3-crt-sys/crt/aws-c-s3 70aacd2d..332dd22c: > update the default behaviors on the fio options (#577) > disable the threshold until we have better options (#574) > Auto - Update S3 Ruleset & Partition (#572) > File streaming support (#564) > Auto - Update S3 Ruleset & Partition (#561) > Auto - Update S3 Ruleset & Partition (#555) > Fix recording of early request metrics (#542) > [fix] retry with checksum result in failure (#543) > change stale issue and discussion handling to run once a week (#541) > Revamp checksum - retry will reuse the checksum (#532) > Add more getters for metrics (#538) Submodule mountpoint-s3-crt-sys/crt/aws-lc 8b4e504c..8ca0b29b: > Prepare 1.61.4 (#2717) > Check compiler for 'linux/random.h' (#2716) > Fixes for android CI tests (#2713) > Migrate Linux ARM omnibus (#2711) > Migrate linux-x86 jobs to self-hosted runners (#2708) > Pin PyCA version in python integration tests (#2706) > Prepare v1.61.3 (#2705) > CodeBuild GitHub Actions Runner Project (#2704) > Remove jitter entropy tests folder (#2702) > Prepare v1.61.2 (#2699) > Windows/MSBuild doesn't provide 'all' target (#2697) > Fix illumos/OpenSolaris (#2698) > Fix test issues with run_minimal_tests (#2695) > Fix build when path has spaces (#2696) > Update Android CI config (#2687) > Prepare v1.61.1 (#2685) > Support FIPS build for Windows/ARM64 (#2688) > Fix duplicate test names in CodeBuild integration tests (#2686) > More arm64 CI tests (#2674) > Use /FI for MSVC forced-includes (#2684) > Prepare AWS-LC v1.61.0 (#2681) > Make X509 CodeBuild webhook more resilient (#2680) > Use CheckCCompilerFlag to test -Wno-cast-function-type (#2678) > fix: Allow zero-length passwords in PEM key decryption (#2677) > Test ACCP in FIPS mode as well as non-FIPS (#2669) > Wrap compiler when FIPS w/ clang v20+ (#2671) > Increase SSLBuffer size to INT_MAX (#2673) > Fix Keccak MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX flag (#2670) > Add AES-XTS AArch64 implementation that will eventually be imported from s2n-bignum. (#2632) > ML-DSA service indicator (#2666) > Update SSLProxy patch (#2663) > Fix for zig build (#2668) > Fix typo in ssl_transfer_asn1 (#2665) > Re-import mlkem-native for addition of CFI directives (#2659) > Refactor iOS CI script (#2637) > Import s2n-bignum 2025-09-05-04 (#2667) > Rand small fixes (#2664) > Implement snapsafe fallback entropy source (#2651) > Address clang-ci comments on new x509 code (#2662) > Merge x509 branch into main (#2660) > Fix ternary operator in github workflow (#2653) > TLS Transfer Serialization Improvements (#2616) > Document and statically assert counters can't overflow (#2658) > Add standalone MLKEM supported groups (#2589) > Fix benchmarking issues with FIPS main (#2655) > Update CPU Jitter Entropy dependency to version 3.6.3 (#2654) > Add x86 Keccak implementation (#2619) > Add expandedKey ASN.1 encoding for KEM keys (#2624) > Prepare for v1.60.0 release (#2649) > Implement ragdoll (#2615) > Fix macOS FIPS build w/ clang-20 (#2645) > Migrate from CodeBuild account actor filter to pull request comment filter based on GitHub permissions (#2644) > Implement read/write timeouts for BIO datagram (#2610) > Anchor CodeBuild account-id patterns (#2641) > Prepare release v1.59.0 (#2643) > ML-KEM: Fix mlkem-native importer.sh (#2635) > Remove BIT_INTERLEAVE support (#2628) > X509_REQ_verify for MLDSA44 and MLDSA87 (#2636) > Add CFI directives in md5-armv8.pl (#2627) > Add CMake Configure pre-push checker (#2596) > ML-KEM: import and enable x86_64 backend from mlkem-native (#2631) > Fix Bind9 CI test (#2629) > ML-KEM: Re-import mlkem-native (#2630) > Fix MariaDB integration test (#2625) > Fix clang-21 compile error (#2623) > Apache httpd integration test (#2614) > Allow prasden ci (#2621) > Add back RC4_options from decrepit (#2618) > Add CFI directives to armv8-mont (#2584) > Support other field for PKCS7 (#2603) > Prepare release v1.58.1 (#2609) > Add support for EVP_PKEY_param_check (#2611) > Move check-linkage.sh to util (#2608) > Prepare release v1.58.0 (#2607) > ML-DSA constant-time hardening for caddq, poly_chknorm, decompose (#2602) > Implement SSL_set_verify_result (#2576) > Impl `SSL_client_hello_get1_extensions_present` and friends (#2561) > target.h: more clearly check for ppc64 endianness (#2604) > Add optimized + verified hybrid AArch64 assembly for batched SHA3/SHAKE (#2600) > Migrate MSVC tests to CodeBuild (#2583) > Fix Win64 unwind info alignment (#2559) > Rewrite 4-fold batched SHAKE to be amenable to batched Keccak-F1600 assembly (#2598) > Add EVP_PKEY_check and EVP_PKEY_public_check (#2565) > Resolve issue with conflicting pkg-config variables (#2601) > Prepare v1.57.0 release (#2593) > Fix nixfmt CI failure (#2588) > Add a couple more no-ops for legacy builds (#2590) > (Experimental) Add SONAME Support to AWS-LC (#2546) > Integrate formally verified AArch64 Keccak-x1 assembly from s2n-bignum/mlkem-native (#2539) > Re-import s2n-bignum after merge of ML-KEM/Keccak functionality (#2595) > Add production stage to CI pipeline (#2483) > Bump tokio from 1.39.3 to 1.43.1 in /tests/ci/lambda (#2552) > Add HMAC SHA3 benchmarks (#2513) > Migrate Openssl-tool parameter parsing (#2501) > ABI monitoring GitHub workflow improvements (#2574) > Reimplement SSL_clear_num_renegotiations (#2586) > Return NULL when a NULL or empty string is passed to NETSCAPE_SPKI_b64_decode. (#2580) > Fix Libwebsocket Build (#2568) > Explicitly test that input length is as expected for ed25519ph (#2585) > Add back X509_STORE_get_verify_cb and X509_STORE_set_lookup_crls_cb (#2581) > Update Windows Docker images (#2579) > ML-KEM: Import AArch64 backend from mlkem-native (#2498) > Offer P521 for signature_algorithms in client Hello (#2572) > Renable NSym CI (#2570) > Bump MySQL version tag to 9.4.0 (#2571) > Update bind9 CI test to use meson (#2562) > Prepare AWS-LC v1.56.0 (#2563) > Revert "Implement SSL_set_verify_result (#2526)" (#2569) > Implement SSL_set_verify_result (#2526) > Remove nsym-related CI (#2566) > Document non-support of TLS 1.3 PHA (#2560) > Pull in SSL_get_negotiated_group and TLSEXT_nid_unknown from upstream (#2558) > tool-openssl: Fix warning 'strnlen' specified bound 4096 exceeds source size 128 (#2556) > Implement SSL_CTX_set_client_hello_cb for ClientHello callback (#2490) > Prepare Docker images for upcoming CI changes (#2475) > docs: Add FIPS documentation to BUILDING.md and README.md (#2387) > CI for mingw64 and ucrt64 w/ msys2 (#2502) > Add missing x509 CI to list of tests (#2548) > Dynamically link AWS-LC in cpython integration tests (#2545) > Align -help return codes in tool-openssl CLI to match Openssl (#2543) > Add LC contributors to allowlist (#2547) > Minimize the nginx patch even further (#2537) > Fix python main diff after upstream PR 135402 merge (#2542) > Use SP 800-56Arev3 Section 5.6.2.1.4.b instead of ECDSA PCT method (#2536) > Fix PKCS12 Error Code (#2538) > Improve OpenSSL compatibility (#2540) > Add pkey command to CLI tool (#2519) > Add prikhap to allow list for CI (#2533) > cpu_ppc64le.c: fix build on FreeBSD (#2520) > Export BF_cfb64_encrypt (#2525) > Implement pkcs8 cli (#2342) > fix: Update Clang version from 18 to 19 in Windows workflow (#2529) > ci: Add GitHub user ID 159580656 to CI allowlist (#2530) > Remove redundant conditions (#2523) > Remove obsolete python main patch (#2522) > Export BIO_f_md for consumers (#2515) > Prepare AWS-LC v1.55.0 (#2521) > s2n-bignum: Add prefix header to _s2n_bignum_internal.h (#2510) > Silence GCC 15 warning for uninitialized variable (#2517) > Rework memory BIOs and implement BIO_seek (3rd try) (#2472) > Temporarily allowlist the webhook actors to AWS-LC (#2514) > Implement HMAC over SHA3 truncated variants (#2484) > Add SSL_CTRL defines for SSL_*_tlsext_status_type (#2496) > Release v1.54.0 (#2511) > Intentionally redefine iovec in headers as CI (#2512) > Add two new APIs to expose TLS 1.3 traffic secrets for kTLS (#2506) > rwlock race tests is not a GoogleTest executable (#2509) > Remove sys headers from bio.h (#2508) > Document that EVP_PKEY_CTX_set_rsa_keygen_pubexp takes ownership (#2503) > Note a couple of typoed struct names that we'll leave alone. (#2499) > Re-remove afunix.h (#2495) > Fix Console Test Suite Execution Locally (#2493) > Order tool output by options provided - x509 (#2454) > Rename SSL test files to match Scrutinice filter (#2491) Submodule mountpoint-s3-crt-sys/crt/s2n-tls 1c5798b8..30f40f23: > feat: Add key update to ktls feature (#5484) > ci: remove duplicate buildspec (#5228) > chore(ci): add sanitizer jobs for openssl-1.0.2-fips (#5508) > chore(ci): add openssl-1.0.2-fips gcc-4.8 job (#5512) > ci: pin libloading which requires MSRV 1.71 (#5520) > chore(ci): Update older integ job to prep for deprecation (#5501) > chore: delete files in preparation for refactor (#5517) > ci: fix clippy (#5516) > build(deps): bump the all-gha-updates group in /.github/workflows with 4 updates (#5497) > chore: bindings release 0.3.26 (#5509) > test: Adds test for serializing a previously-serialized connection (#5495) > test(integv2): trim bloated cases (#5453) > docs(usage guide): description connection serialization (#5504) > feat: add async public key support (#5473) > ci: only use git fetch for nix jobs (#5506) > chore(nix): Flip awslc to upstream flake. (#5317) > chore: bump instance size for Valgrind (#5500) > feat: basic security policy builder interface (#5493) > refactor: move new default policies to separate file (#5492) > chore: pin to older pytest-rerunfailures (#5494) > feat: 'latest' option for strict policy (#5488) > build(deps): bump nixbuild/nix-quick-install-action from 32 to 33 in /.github/workflows in the all-gha-updates group (#5487) > feat(integration): add utilities for capability assertions (#5475) > feat: add pure mlkem_1024 definition (#5468) > fix: no server signature scheme expected with rsa kex (#5481) > refactor(tls-harness): avoid implicit shutdown of ossl connection (#5474) > Fix HKDF on big-endian (#5478) > feat: add method to get signature scheme name (#5471) > refactor: signature scheme name adjustment (#5472) > ci: tweak ruff ci failure message (#5485) > chore(release): release s2n-tls v0.3.25 (#5486) > chore(nix): switch to nixpkgs libressl (#5467) > build(deps): bump the all-gha-updates group across 1 directory with 3 updates (#5479) > chore: Adds build file to get new codebuild project running in CI (#5476) > chore(nix): Move nix integ jobs to ec2 fleets (#5461) > Add TLSv1.3 (classical + PQ) policies for CloudFront Upstream (#5460) > refactor: setup replacement default policies (#5464) > ci: fix wikipedia network test + better error message (#5470) > ci: don't include tls/extensions in SAW build (#5466) > refactor(stuffer): Rename s2n_stuffer_has_pem_encapsulated_block (#5465) > test(integration): add record padding test (#5451) > Add fixed version of the rfc9151 policy (#5277) > chore: apply clippy fixes (#5459) > chore: bindings release 0.3.24 (#5455) > refactor(tls-harness): separate benchmark abstractions (#5444) > chore(ci): once a week, clean the nix store for the kTLS job. (#5430) > Add AWS-CRT-SDK-TLSv1.0-2025-PQ (#5403) > chore(ci): tell crt to not check submodule version (#5450) > build(deps): update criterion requirement from 0.6 to 0.7 in /bindings/rust/standard (#5442) > fix(typo): fix a typo in codebuild.yml (#5445) > feat: add integration test for secp384r1_mlkem_1024 (#5438) > chore: add Awslc fips next to CI (#5349) > ci: document how to manually run the codebuild jobs (#5441) > chore: bindings release 0.3.23 (#5439) > test(bench): add api for mutual auth handshake (#5437) > refactor(bench): unify IO methods (#5434) > build(deps): bump cross-platform-actions/action from 0.28.0 to 0.29.0 in /.github/workflows in the all-gha-updates group (#5435) > feature: update default_pq to support secp384r1_mlkem_1024 (#5433) > chore: Nix Corretto version bump/upstream (#5427) > feat(bench): add generic shutdown functionality (#5426) > feat: add secp384r1_mlkem_1024 kem group (#5395) > ci: run rustfmt/clippy on standard crates (#5333) > docs(aws-kms-tls-auth): clarify security impact of failure modes (#5424) > docs(aws-kms-tls-auth): add readme (#5409) > ci: require repo write permissions for codebuild (#5421) > feat(aws-kms-tls-auth): add provider & receiver structs (#5408) > Flip Nix integration tests to use uv/pytest (#5352) > feat: add ML-KEM-1024 kem definition (#5367) > feat(aws-kms-tls-auth): add psk identity (#5402) > ci: Migrate Duvet GitHub Action to duvet-action repo (#5400) > ci: start codebuild jobs from github actions (#5383) > feat(aws-kms-tls-auth): add codec and parsing (#5398) > docs: note that s2n_shutdown may keep reading (#5370) > chore: release 0.3.22 (#5397) > fix(ci): adding set -e to prevent nix develop to hide failing tests (#5393) > feature: new TLS1.2 + FIPS CRT security policy (#5375) > chore: apply clippy and fmt fixes (#5386) > fix: policy util should ignore deprecated TLS1.2 kems if missing (#5372) > build(deps): bump nixbuild/nix-quick-install-action from 31 to 32 in /.github/workflows in the all-gha-updates group (#5371) > build(deps): bump nixbuild/nix-quick-install-action from 30 to 31 in /.github/workflows in the all-gha-updates group (#5366) > tests(integ): add more debug logging (#5363) > tests(integv2): fix flaky session resumption test (#5362) > build(deps): bump baptiste0928/cargo-install from 3.3.0 to 3.3.1 in /.github/workflows in the all-gha-updates group (#5361) > build: prevent needless rebuild with S2N_INTERN_LIBCRYPTO=ON and Ninja (#5356) > Include application message in Debug impl (#5359) > ci: Fix the sslyze test for nix (#5283) > refactor(examples): remove connection pool (#5353) > build(deps): update pprof requirement from 0.14 to 0.15 in /bindings/rust/standard (#5334) > chore(ci): add a cargo timing buildspec (#5176) > fix: do not use "digest and sign" for ML-DSA in FIPS mode (#5348) > ci: workaround for nix + gnutls + ubuntu24 issue (#5345) > chore: Bindings release 0.3.20 (#5344) > tests(integ): fix nondeterministic ocsp test shutdown behavior (#5340) > feat(bindings): expose custom critical extension API (#5337) > chore(ci): Pin parking_lot_core, lock_api (#5338) > ci: Use official libcrypto verification model repository (#5336) > feat: add custom critical extension support (#5321) > fix(benches): reuse config for handshakes (#5319) > chore: bindings release 0.3.20 (#5332) > CertificateRequest Rust bindings (#5331) > Add CertificateRequest certificate selection callback (#5318) > build(deps): bump the all-gha-updates group across 1 directory with 3 updates (#5315) > feat(examples): add key log example (#5314) > Remove unused negotiate_kem function causing build failure (#5316) > chore: Bump nixpkgs version to 24.11 (#5294) > tests: policy snapshot test (#5309) > fix(benches): use session ticket for resumption (#5305) > feature: release ML-DSA support (#5307) > feature: support for ML-DSA handshake signatures (#5303) > tests: turn verbose mode off by default in integ tests (#5286) > Revert "build: add pull requests limit for dependabot" (#5302) > chore: Update Apache test certificates from RSA1024 to RSA2048 (#5285) > feature: add crypto support for mldsa signing (#5272) > refactor: remove conn->client_hello_version (#5278) > build(deps): unpin test-log because of MSRV updates (#5300) > build: add pull requests limit for dependabot (#5299) > chore: bindings release 0.3.19 (#5298) > build(deps): update strum requirement from 0.25 to 0.27 in /bindings/rust/standard (#5292) > build(deps): update test-log-macros requirement from =0.2.14 to =0.2.17 in /bindings/rust/standard (#5290) > feat: Add `as_ptr()` API for Config (#5274) > tests: reduce integ test flakiness + improve debugability (#5282) > build(deps): update env_logger requirement from 0.10 to 0.11 in /bindings/rust/standard (#5296) > build(deps): bump aws-actions/configure-aws-credentials from 4.1.0 to 4.2.0 in /.github/workflows in the all-gha-updates group (#5297) > tests: fix flaky test_serialization (#5288) > chore: bump standard MSRV to 1.82.0 (#5295) > chore: Add comments to track dependency requirements (#5287) > tests: improve coverage for s2n_stream_cipher_null (#5268) > build(deps): bump astral-sh/setup-uv from 5 to 6 in /.github/workflows in the all-gha-updates group (#5273) > chore: bindings release 0.3.18 (#5284) > ci: fix expectations when using system default libcrypto (#5279) > ci: handle 429 from yahoo.com network integ test (#5280) ``` </details> ### Does this change impact existing behavior? No. ### Does this change need a changelog entry? Does it require a version change? Added changelogs and ensured version changes are correct. --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and I agree to the terms of the [Developer Certificate of Origin (DCO)](https://developercertificate.org/). Signed-off-by: Daniel Carl Jones <djonesoa@amazon.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.