From 9e1bb08098312e3e36cbdd30073bc6757015c913 Mon Sep 17 00:00:00 2001
From: Steve Kim <86316075+sbSteveK@users.noreply.github.com>
Date: Wed, 9 Oct 2024 10:30:12 -0700
Subject: [PATCH 1/3] Clarify socket options logging (#681)

---
 source/posix/socket.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source/posix/socket.c b/source/posix/socket.c
index dbbf62657..1e16bb245 100644
--- a/source/posix/socket.c
+++ b/source/posix/socket.c
@@ -1220,7 +1220,8 @@ int aws_socket_set_options(struct aws_socket *socket, const struct aws_socket_op
 
     AWS_LOGF_DEBUG(
         AWS_LS_IO_SOCKET,
-        "id=%p fd=%d: setting socket options to: keep-alive %d, keep idle %d, keep-alive interval %d, keep-alive probe "
+        "id=%p fd=%d: setting socket options to: keep-alive %d, keep-alive timeout %d, keep-alive interval %d, "
+        "keep-alive probe "
         "count %d.",
         (void *)socket,
         socket->io_handle.data.fd,

From dc41ddc498c10ebbf69aba7775afa36c8c1910bd Mon Sep 17 00:00:00 2001
From: Dengke Tang <dengket@amazon.com>
Date: Thu, 10 Oct 2024 11:47:33 -0700
Subject: [PATCH 2/3] Use s2n_cleanup_thread() and path (#682)

Co-authored-by: Michael Graeb <graebm@amazon.com>
---
 CMakeLists.txt                       | 19 +++++++++++++++----
 source/s2n/s2n_tls_channel_handler.c | 10 ++++++++--
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index dc3395853..ad560ad4a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -152,10 +152,21 @@ if (BYO_CRYPTO)
 endif()
 
 if (USE_S2N)
-    file(GLOB AWS_IO_TLS_SRC
-            "source/s2n/*.c"
-            )
-    aws_use_package(s2n)
+        file(GLOB AWS_IO_TLS_SRC
+                "source/s2n/*.c"
+                )
+        # Prefer find_package() because it's the normal CMake way to do dependencies.
+        # But fall back on aws_use_package() because some projects still need to do an IN_SOURCE_BUILD of S2N.
+        # (e.g. aws-crt-java until this is resolved: https://github.com/awslabs/aws-crt-java/pull/817)
+        find_package(s2n QUIET)
+
+        if (s2n_FOUND)
+            list(APPEND DEP_AWS_LIBS AWS::s2n)
+        else()
+            # Set flag to use in-source path to  <s2n/unstable/*.h> headers if we do an IN_SOURCE_BUILD.
+            aws_use_package(s2n)
+            add_definitions(-DAWS_S2N_INSOURCE_PATH)
+        endif()
 endif()
 
 file(GLOB IO_HEADERS
diff --git a/source/s2n/s2n_tls_channel_handler.c b/source/s2n/s2n_tls_channel_handler.c
index 355a64b1b..018e6c069 100644
--- a/source/s2n/s2n_tls_channel_handler.c
+++ b/source/s2n/s2n_tls_channel_handler.c
@@ -20,10 +20,16 @@
 #include <aws/common/task_scheduler.h>
 #include <aws/common/thread.h>
 
+#include <s2n.h>
+#ifdef AWS_S2N_INSOURCE_PATH
+#    include <api/unstable/cleanup.h>
+#else
+#    include <s2n/unstable/cleanup.h>
+#endif
+
 #include <errno.h>
 #include <inttypes.h>
 #include <math.h>
-#include <s2n.h>
 #include <stdio.h>
 #include <stdlib.h>
 
@@ -1247,7 +1253,7 @@ static struct aws_event_loop_local_object s_tl_cleanup_object = {
 static void s_aws_cleanup_s2n_thread_local_state(void *user_data) {
     (void)user_data;
 
-    s2n_cleanup();
+    s2n_cleanup_thread();
 }
 
 /* s2n allocates thread-local data structures. We need to clean these up when the event loop's thread exits. */

From 5227c066dbd621ecb0f156ce508309ac7609063f Mon Sep 17 00:00:00 2001
From: Igor Abdrakhimov <octosyllabic@gmail.com>
Date: Tue, 15 Oct 2024 10:33:03 -0700
Subject: [PATCH 3/3] Handle PKCS#8 private keys in Windows (#683)

Co-authored-by: Steve Kim <86316075+sbSteveK@users.noreply.github.com>
---
 source/windows/windows_pki_utils.c | 24 ++++++++++++++++++++
 tests/CMakeLists.txt               |  1 +
 tests/tls_handler_test.c           | 36 ++++++++++++++++++++++++++++++
 3 files changed, 61 insertions(+)

diff --git a/source/windows/windows_pki_utils.c b/source/windows/windows_pki_utils.c
index e1c47d548..1248d798b 100644
--- a/source/windows/windows_pki_utils.c
+++ b/source/windows/windows_pki_utils.c
@@ -559,6 +559,7 @@ int aws_import_key_pair_to_cert_context(
 
     int result = AWS_OP_ERR;
     BYTE *key = NULL;
+    BYTE *key_wrapper = NULL;
 
     if (aws_pem_objects_init_from_file_contents(&certificates, alloc, *public_cert_chain)) {
         AWS_LOGF_ERROR(
@@ -640,6 +641,7 @@ int aws_import_key_pair_to_cert_context(
 
     struct aws_pem_object *private_key_ptr = NULL;
     DWORD decoded_len = 0;
+    DWORD decoded_wrapper_len = 0;
     enum aws_certificate_type cert_type = AWS_CT_X509_UNKNOWN;
     size_t private_key_count = aws_array_list_length(&private_keys);
     for (size_t i = 0; i < private_key_count; ++i) {
@@ -655,6 +657,27 @@ int aws_import_key_pair_to_cert_context(
                 &key,
                 &decoded_len)) {
             cert_type = AWS_CT_X509_RSA;
+        } else if (CryptDecodeObjectEx(
+                       X509_ASN_ENCODING,
+                       PKCS_PRIVATE_KEY_INFO,
+                       private_key_ptr->data.buffer,
+                       (DWORD)private_key_ptr->data.len,
+                       CRYPT_DECODE_ALLOC_FLAG,
+                       0,
+                       &key_wrapper,
+                       &decoded_wrapper_len)) {
+            CRYPT_PRIVATE_KEY_INFO *pPrivateKeyInfoStruct = (CRYPT_PRIVATE_KEY_INFO *)key_wrapper;
+            if (CryptDecodeObjectEx(
+                    X509_ASN_ENCODING,
+                    PKCS_RSA_PRIVATE_KEY,
+                    pPrivateKeyInfoStruct->PrivateKey.pbData,
+                    pPrivateKeyInfoStruct->PrivateKey.cbData,
+                    CRYPT_DECODE_ALLOC_FLAG,
+                    0,
+                    &key,
+                    &decoded_len)) {
+                cert_type = AWS_CT_X509_RSA;
+            }
         }
 #ifndef AWS_SUPPORT_WIN7
         else if (CryptDecodeObjectEx(
@@ -721,6 +744,7 @@ int aws_import_key_pair_to_cert_context(
     aws_pem_objects_clean_up(&private_keys);
 
     LocalFree(key);
+    LocalFree(key_wrapper);
 
     if (result == AWS_OP_ERR) {
         if (*store != NULL) {
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index d6ab13f4b..8a5362c41 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -246,6 +246,7 @@ if(NOT BYO_CRYPTO)
     add_net_test_case(alpn_successfully_negotiates)
     add_net_test_case(alpn_no_protocol_message)
     add_net_test_case(test_ecc_cert_import)
+    add_net_test_case(test_pkcs8_import)
 
     add_test_case(alpn_error_creating_handler)
     add_test_case(tls_destroy_null_context)
diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c
index 0b0f5c88c..a55d26077 100644
--- a/tests/tls_handler_test.c
+++ b/tests/tls_handler_test.c
@@ -2503,4 +2503,40 @@ static int s_test_ecc_cert_import(struct aws_allocator *allocator, void *ctx) {
 
 AWS_TEST_CASE(test_ecc_cert_import, s_test_ecc_cert_import)
 
+static int s_test_pkcs8_import(struct aws_allocator *allocator, void *ctx) {
+    (void)ctx;
+    (void)allocator;
+
+    aws_io_library_init(allocator);
+
+    struct aws_byte_buf cert_buf;
+    struct aws_byte_buf key_buf;
+
+    ASSERT_SUCCESS(aws_byte_buf_init_from_file(&cert_buf, allocator, "unittests.crt"));
+    ASSERT_SUCCESS(aws_byte_buf_init_from_file(&key_buf, allocator, "unittests.p8"));
+
+    struct aws_byte_cursor cert_cur = aws_byte_cursor_from_buf(&cert_buf);
+    struct aws_byte_cursor key_cur = aws_byte_cursor_from_buf(&key_buf);
+    struct aws_tls_ctx_options tls_options = {0};
+    AWS_FATAL_ASSERT(
+        AWS_OP_SUCCESS == aws_tls_ctx_options_init_client_mtls(&tls_options, allocator, &cert_cur, &key_cur));
+
+    /* import happens in here */
+    struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options);
+    ASSERT_NOT_NULL(tls_context);
+
+    aws_tls_ctx_release(tls_context);
+
+    aws_tls_ctx_options_clean_up(&tls_options);
+
+    aws_byte_buf_clean_up(&cert_buf);
+    aws_byte_buf_clean_up(&key_buf);
+
+    aws_io_library_clean_up();
+
+    return AWS_OP_SUCCESS;
+}
+
+AWS_TEST_CASE(test_pkcs8_import, s_test_pkcs8_import)
+
 #endif /* BYO_CRYPTO */