Update contrib/restricted/aws/s2n to 1.3.12

ref:f8279d764b4c00974a63543a1364c91e2b81b7a6

1 files changed, 12 insertions, 1 deletions

diff --git a/contrib/restricted/aws/s2n/crypto/s2n_evp.h b/contrib/restricted/aws/s2n/crypto/s2n_evp.h
index 92d30bccc8..6c443efba7 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_evp.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_evp.h
@@ -16,6 +16,7 @@
 #pragma once
 
 #include <openssl/evp.h>
+#include <openssl/hmac.h>
 
 #include "crypto/s2n_openssl.h"
 #include "utils/s2n_result.h"
@@ -27,7 +28,10 @@ struct s2n_evp_digest {
 
 struct s2n_evp_hmac_state {
     struct s2n_evp_digest evp_digest;
-    EVP_PKEY *mac_key;
+    union {
+        HMAC_CTX *hmac_ctx;
+        EVP_PKEY *evp_pkey;
+    } ctx;
 };
 
 /* Define API's that change based on the OpenSSL Major Version. */
@@ -41,5 +45,12 @@ struct s2n_evp_hmac_state {
 #define S2N_EVP_MD_CTX_FREE(md_ctx) (EVP_MD_CTX_destroy(md_ctx))
 #endif
 
+/* On some versions of OpenSSL, "EVP_PKEY_CTX_set_signature_md()" is just a macro that casts digest_alg to "void*",
+ * which fails to compile when the "-Werror=cast-qual" compiler flag is enabled. So we work around this OpenSSL
+ * issue by turning off this compiler check for this one function with a cast through.
+ */
+#define S2N_EVP_PKEY_CTX_set_signature_md(ctx, md) \
+    EVP_PKEY_CTX_set_signature_md(ctx, (EVP_MD*) (uintptr_t) md)
+
 extern int s2n_digest_allow_md5_for_fips(struct s2n_evp_digest *evp_digest);
 extern S2N_RESULT s2n_digest_is_md5_allowed_for_fips(struct s2n_evp_digest *evp_digest, bool *out);