From 118de759ff9eb66b814d76a9df7ebde353a1938c Mon Sep 17 00:00:00 2001 From: Igor Abdrakhimov Date: Mon, 11 May 2026 10:08:42 -0700 Subject: [PATCH 1/5] bump aws-c-io --- crt/aws-c-io | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crt/aws-c-io b/crt/aws-c-io index 1ec8081f2..c05903179 160000 --- a/crt/aws-c-io +++ b/crt/aws-c-io @@ -1 +1 @@ -Subproject commit 1ec8081f208ef8d51381889eda3bda9756fd5bb5 +Subproject commit c0590317988a5297c7d03c1d0cec90b2c33af646 From 681ac5a3129b7f431b94cc43db4418cddebe0ebb Mon Sep 17 00:00:00 2001 From: Igor Abdrakhimov Date: Mon, 11 May 2026 10:09:56 -0700 Subject: [PATCH 2/5] Add s2n CI job --- .github/workflows/ci.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 966a350a8..96c4b7a3e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -344,6 +344,42 @@ jobs: chmod a+x builder ./builder build -p ${{ env.PACKAGE_NAME }} + macos-s2n: + runs-on: macos-14 # latest + env: + AWS_CRT_USE_NON_FIPS_TLS_13: 1 + permissions: + id-token: write # This is required for requesting the JWT + steps: + - name: configure AWS credentials (containers) + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ env.CRT_CI_ROLE }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + - name: Build ${{ env.PACKAGE_NAME }} + consumers + run: | + python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')" + chmod a+x builder + ./builder build -p ${{ env.PACKAGE_NAME }} + + macos-x64-s2n: + runs-on: macos-14-large # latest + env: + AWS_CRT_USE_NON_FIPS_TLS_13: 1 + permissions: + id-token: write # This is required for requesting the JWT + steps: + - name: configure AWS credentials (containers) + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ env.CRT_CI_ROLE }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + - name: Build ${{ env.PACKAGE_NAME }} + consumers + run: | + python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')" + chmod a+x builder + ./builder build -p ${{ env.PACKAGE_NAME }} + openbsd: runs-on: ubuntu-24.04 # latest strategy: From b7ca838e49dddf8054a6da96edc1bb5a17f1f452 Mon Sep 17 00:00:00 2001 From: Igor Abdrakhimov Date: Mon, 11 May 2026 10:27:17 -0700 Subject: [PATCH 3/5] Build s2n on apple --- crt/CMakeLists.txt | 12 +++++++----- setup.py | 13 +------------ 2 files changed, 8 insertions(+), 17 deletions(-) diff --git a/crt/CMakeLists.txt b/crt/CMakeLists.txt index 965f110e1..88f6d3b4c 100644 --- a/crt/CMakeLists.txt +++ b/crt/CMakeLists.txt @@ -32,9 +32,10 @@ option(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE "Set this if you want to string(REPLACE "-g" "-g1" CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELWITHDEBINFO}") string(REPLACE "-g" "-g1" CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELWITHDEBINFO}") -# On Unix we use S2N for TLS and AWS-LC crypto. -# (On Windows and Apple we use the default OS libraries) -if ((UNIX AND NOT APPLE) OR AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) +# On Linux and BSD, we use S2N for TLS and AWS-LC crypto. +# On Windows, we use the default OS libraries. +# On Apple, we use the default OS libraries by default, but support S2N usage. +if (UNIX OR AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) option(USE_OPENSSL "Set this if you want to use your system's OpenSSL compatible libcrypto" OFF) include(AwsPrebuildDependency) @@ -48,7 +49,7 @@ if ((UNIX AND NOT APPLE) OR AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) -DCMAKE_BUILD_TYPE=RelWithDebInfo # Use the same build type as the rest of the project ) - if (APPLE OR WIN32) + if (WIN32) # Libcrypto implementations typically have several chunky pregenerated tables that add a lot # to artifact size. We dont really need them for ed25519 case on win/mac, so favor # smaller binary over perf here. @@ -72,7 +73,7 @@ if ((UNIX AND NOT APPLE) OR AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) endif() -if(UNIX AND NOT APPLE) +if(UNIX) # prebuild s2n-tls. aws_prebuild_dependency( DEPENDENCY_NAME S2N @@ -80,6 +81,7 @@ if(UNIX AND NOT APPLE) CMAKE_ARGUMENTS -DUNSAFE_TREAT_WARNINGS_AS_ERRORS=OFF -DBUILD_TESTING=OFF + -DCMAKE_NO_SYSTEM_FROM_IMPORTED=ON ) endif() diff --git a/setup.py b/setup.py index 380e5e948..90e50f1a8 100644 --- a/setup.py +++ b/setup.py @@ -301,7 +301,7 @@ def __init__(self, name, extra_cmake_args=[], libname=None): # aws-lc produces libcrypto.a AWS_LIBS.append(AwsLib('aws-lc', libname='crypto')) -if sys.platform != 'darwin' and sys.platform != 'win32': +if sys.platform != 'win32': AWS_LIBS.append(AwsLib('s2n')) AWS_LIBS.append(AwsLib('aws-c-common')) @@ -593,17 +593,6 @@ def awscrt_ext(): if not is_macos_universal2(): if sys.platform == 'darwin': extra_link_args += ['-Wl,-fatal_warnings'] - # xcode 15 introduced a new linker that generates a warning - # when it sees duplicate libs or rpath during bundling. - # pyenv installed from homebrew put duplicate rpath entries - # into sysconfig, and setuptools happily passes them along - # to xcode, resulting in a warning - # (which is fatal in this branch). - # ex. https://github.com/pyenv/pyenv/issues/2890 - # lets revert back to old linker on xcode >= 15 until one of - # the involved parties fixes the issue. - if get_xcode_major_version() >= 15: - extra_link_args += ['-Wl,-ld_classic'] elif 'bsd' in sys.platform: extra_link_args += ['-Wl,-fatal-warnings'] else: From 465c48761c40747db2147d063ad3e8e52b983778 Mon Sep 17 00:00:00 2001 From: Igor Abdrakhimov Date: Mon, 11 May 2026 11:57:14 -0700 Subject: [PATCH 4/5] Try to restore -Wl,-ld_classic --- setup.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/setup.py b/setup.py index 90e50f1a8..032bff830 100644 --- a/setup.py +++ b/setup.py @@ -593,6 +593,17 @@ def awscrt_ext(): if not is_macos_universal2(): if sys.platform == 'darwin': extra_link_args += ['-Wl,-fatal_warnings'] + # xcode 15 introduced a new linker that generates a warning + # when it sees duplicate libs or rpath during bundling. + # pyenv installed from homebrew put duplicate rpath entries + # into sysconfig, and setuptools happily passes them along + # to xcode, resulting in a warning + # (which is fatal in this branch). + # ex. https://github.com/pyenv/pyenv/issues/2890 + # lets revert back to old linker on xcode >= 15 until one of + # the involved parties fixes the issue. + if get_xcode_major_version() >= 15: + extra_link_args += ['-Wl,-ld_classic'] elif 'bsd' in sys.platform: extra_link_args += ['-Wl,-fatal-warnings'] else: From 8a1f0233c68682c20b1b34fdfed3e3209d2581a1 Mon Sep 17 00:00:00 2001 From: Igor Abdrakhimov Date: Fri, 22 May 2026 09:38:00 -0700 Subject: [PATCH 5/5] Disable pkcs12 tests --- test/test_mqtt5_credentials.py | 1 + test/test_mqtt_credentials.py | 1 + 2 files changed, 2 insertions(+) diff --git a/test/test_mqtt5_credentials.py b/test/test_mqtt5_credentials.py index 96057834e..2e5bf94d2 100644 --- a/test/test_mqtt5_credentials.py +++ b/test/test_mqtt5_credentials.py @@ -130,6 +130,7 @@ def _test_mqtt5_cred_pkcs12(self): client.stop() callbacks.future_stopped.result(TIMEOUT) + @unittest.skipIf(os.environ.get('AWS_CRT_USE_NON_FIPS_TLS_13'), "PKCS12 not supported with non-FIPS TLS 1.3") def test_mqtt5_cred_pkcs12(self): test_retry_wrapper(self._test_mqtt5_cred_pkcs12) diff --git a/test/test_mqtt_credentials.py b/test/test_mqtt_credentials.py index 58b99b4ce..4686ef657 100644 --- a/test/test_mqtt_credentials.py +++ b/test/test_mqtt_credentials.py @@ -46,6 +46,7 @@ def _test_mqtt311_cred_pkcs12(self): connection.connect().result(TIMEOUT) connection.disconnect().result(TIMEOUT) + @unittest.skipIf(os.environ.get('AWS_CRT_USE_NON_FIPS_TLS_13'), "PKCS12 not supported with non-FIPS TLS 1.3") def test_mqtt311_cred_pkcs12(self): test_retry_wrapper(self._test_mqtt311_cred_pkcs12)