Update contrib/restricted/aws/s2n to 1.3.16

1 files changed, 14 insertions, 9 deletions

diff --git a/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c b/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c
index 3be8de854f..353c841f87 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c
@@ -26,16 +26,19 @@
 #include "utils/s2n_safety.h"
 #include "utils/s2n_blob.h"
 
-/* LibreSSL, BoringSSL and AWS-LC support the cipher, but the interface is different from Openssl's. We
- * should define a separate s2n_cipher struct for LibreSSL, BoringSSL and AWS-LC.
+/* LibreSSL and BoringSSL support the cipher, but the interface is different from Openssl's. We
+ * should define a separate s2n_cipher struct for LibreSSL and BoringSSL.
  */
-#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
 /* Symbols for AES-SHA1-CBC composite ciphers were added in Openssl 1.0.1
  * These composite ciphers exhibit erratic behavior in LibreSSL releases.
  */
-#if S2N_OPENSSL_VERSION_AT_LEAST(1,0,1) 
+#if S2N_OPENSSL_VERSION_AT_LEAST(1,0,1)
 #define S2N_AES_SHA1_COMPOSITE_AVAILABLE
 #endif
+#if defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17)
+#undef S2N_AES_SHA1_COMPOSITE_AVAILABLE
+#endif
 /* Symbols for AES-SHA256-CBC composite ciphers were added in Openssl 1.0.2
  * See https://www.openssl.org/news/cl102.txt
  * These composite ciphers exhibit erratic behavior in LibreSSL releases.
@@ -43,7 +46,9 @@
 #if S2N_OPENSSL_VERSION_AT_LEAST(1,0,2)
 #define S2N_AES_SHA256_COMPOSITE_AVAILABLE
 #endif
-
+#if defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17)
+#undef S2N_AES_SHA256_COMPOSITE_AVAILABLE
+#endif
 #endif
 
 /* Silly accessors, but we avoid using version macro guards in multiple places */
@@ -125,11 +130,11 @@ static uint8_t s2n_composite_cipher_aes256_sha256_available(void)
 static int s2n_composite_cipher_aes_sha_initial_hmac(struct s2n_session_key *key, uint8_t *sequence_number, uint8_t content_type,
                                                      uint16_t protocol_version, uint16_t payload_and_eiv_len, int *extra)
 {
-    /* BoringSSL and AWS-LC do not support these composite ciphers with the existing EVP API, and they took out the
-     * constants used below. This method should never be called with BoringSSL or AWS-LC because the isAvaliable checked
-     * will fail. Instead of defining a possibly dangerous default or hard coding this to 0x16 error out with BoringSSL and AWS-LC.
+    /* BoringSSL and AWS-LC(AWSLC_API_VERSION <= 17) do not support these composite ciphers with the existing EVP API, and they took out the
+     * constants used below. This method should never be called with BoringSSL or AWS-LC(AWSLC_API_VERSION <= 17) because the isAvaliable checked
+     * will fail. Instead of defining a possibly dangerous default or hard coding this to 0x16 error out with BoringSSL and AWS-LC(AWSLC_API_VERSION <= 17).
      */
-#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+#if defined(OPENSSL_IS_BORINGSSL) || (defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17))
   POSIX_BAIL(S2N_ERR_NO_SUPPORTED_LIBCRYPTO_API);
 #else
     uint8_t ctrl_buf[S2N_TLS12_AAD_LEN];