Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OpenVPN tip of main to CI #1843

Merged
merged 4 commits into from
Sep 12, 2024
Merged

Add OpenVPN tip of main to CI #1843

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9e1d08f
added ci check for openvpn main
smittals2 Sep 10, 2024
5d5b46c
updated main name
smittals2 Sep 10, 2024
f69c721
fix typo
smittals2 Sep 10, 2024
299c0f1
updated patch file
smittals2 Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 18 additions & 3 deletions .github/workflows/integrations.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ jobs:
- name: Run strongswan build
run: |
./tests/ci/integration/run_strongswan_integration.sh
openvpn:
openvpn2-6:
if: github.repository_owner == 'aws'
runs-on: ubuntu-latest
steps:
Expand All @@ -187,9 +187,24 @@ jobs:
libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
python3-docutils
- uses: actions/checkout@v4
- name: Run openvpn build
- name: Run openvpn build 2.6.x
run: |
./tests/ci/integration/run_openvpn_integration.sh
./tests/ci/integration/run_openvpn_integration.sh release/2.6
openvpnMaster:
if: github.repository_owner == 'aws'
runs-on: ubuntu-latest
steps:
- name: Install OS Dependencies
run: |
sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
sudo apt-get -y --no-install-recommends install \
cmake gcc ninja-build golang libnl-3-dev libnl-genl-3-dev \
libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
python3-docutils
- uses: actions/checkout@v4
- name: Run openvpn build main
run: |
./tests/ci/integration/run_openvpn_integration.sh master
libevent:
if: github.repository_owner == 'aws'
runs-on: ubuntu-latest
Expand Down
86 changes: 86 additions & 0 deletions tests/ci/integration/openvpn_patch/aws-lc-openvpn-master.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index fbd38f3d..b4a37d42 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -1397,7 +1397,7 @@ out:

return ret;
}
-#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL)
+#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(OPENSSL_IS_AWSLC)
bool
ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
int secret_len, uint8_t *output, int output_len)
@@ -1443,6 +1443,13 @@ out:
EVP_PKEY_CTX_free(pctx);
return ret;
}
+#elif defined(OPENSSL_IS_AWSLC)
+bool
+ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec,
+ int slen, uint8_t *out1, int olen)
+{
+ CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0);
+}
#else /* if defined(LIBRESSL_VERSION_NUMBER) */
/* LibreSSL and wolfSSL do not expose a TLS 1.0/1.1 PRF via the same APIs as
* OpenSSL does. As result they will only be able to support
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 95417b22..61b632dd 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -75,7 +75,7 @@ X509_OBJECT_free(X509_OBJECT *obj)
#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
#endif

-#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL || defined(OPENSSL_IS_AWSLC)
#define SSL_get_peer_tmp_key SSL_get_server_tmp_key
#endif

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 0d845f4a..c47a0c5d 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1631,7 +1631,11 @@ tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)

/* Among init methods, we only need the finish method */
EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL);
+#ifdef OPENSSL_IS_AWSLC
+ EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, NULL, ecdsa_sign_sig);
+#else
EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig);
+#endif

ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey));
if (!ec)
@@ -1857,9 +1861,11 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
}
sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
}
-
+
+ int cnum;
if (tls_server)
{
+ cnum = sk_X509_NAME_num(cert_names);
SSL_CTX_set_client_CA_list(ctx->ctx, cert_names);
}

@@ -1872,7 +1878,6 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,

if (tls_server)
{
- int cnum = sk_X509_NAME_num(cert_names);
if (cnum != added)
{
crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d "
@@ -2520,7 +2525,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
crypto_msg(M_FATAL, "Cannot create SSL object");
}

-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC)
STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
#else
STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
30 changes: 22 additions & 8 deletions tests/ci/integration/run_openvpn_integration.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ OPENVPN_PATCH_BUILD_FOLDER="${SRC_ROOT}/tests/ci/integration/openvpn_patch"
AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"

# Check if branch name is passed as an argument
if [ $# -eq 0 ]; then
echo "No branch name provided. Usage: $0 <branch_name>"
exit 1
fi
BRANCH_NAME=$1

mkdir -p ${SCRATCH_FOLDER}
rm -rf "${SCRATCH_FOLDER:?}"/*
Expand Down Expand Up @@ -52,10 +58,21 @@ function openvpn_build() {

# TODO: Remove this when we make an upstream contribution.
function openvpn_patch_build() {
for patchfile in $(find -L "${OPENVPN_PATCH_BUILD_FOLDER}" -type f -name '*.patch'); do
echo "Apply patch $patchfile..."
patch -p1 --quiet -i "$patchfile"
done
case "$BRANCH_NAME" in
"release/2.6")
patchfile="${OPENVPN_PATCH_BUILD_FOLDER}/aws-lc-openvpn2-6-x.patch"
Comment on lines +62 to +63
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NP: Very minor, but is there a way we could just reconfigure the release/2.6 string to match our patch directory/file naming scheme? Maybe something like taking the / out and directing it to a release2.6 directory or file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be fine for now, should we decide to add another branch in the future happy to refactor the code as necessary. Currently, not sure what the approach would be - probably some string manipulation stuff that would be overly complex for the current state of this script.

;;
"master")
patchfile="${OPENVPN_PATCH_BUILD_FOLDER}/aws-lc-openvpn-master.patch"
;;
*)
echo "No specific patch file for branch: $BRANCH_NAME"
exit 1
;;
esac

echo "Apply patch $patchfile..."
patch -p1 --quiet -i "$patchfile"
}

function openvpn_run_tests() {
Expand All @@ -65,10 +82,7 @@ function openvpn_run_tests() {
}

git clone https://github.com/OpenVPN/openvpn.git ${OPENVPN_SRC_FOLDER}

# anchoring to tip of minor release 2.6.x for OpenVPN, currently not compatible
# with tip of main
cd ${OPENVPN_SRC_FOLDER} && git checkout release/2.6
cd ${OPENVPN_SRC_FOLDER} && git checkout $BRANCH_NAME
mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
ls

Expand Down
Loading