Merge branch 'main' into ruby-integration

justsmth · Sep 13, 2024 · 9b5f080 · 9b5f080
2 parents 6154f4d + 67e44f9
commit 9b5f080
Show file tree

Hide file tree

Showing 4 changed files with 136 additions and 11 deletions.
diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml
@@ -175,7 +175,7 @@ jobs:
       - name: Run strongswan build
         run: |
           ./tests/ci/integration/run_strongswan_integration.sh
-  openvpn:
+  openvpn2-6:
     if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest
     steps:
@@ -187,9 +187,24 @@ jobs:
           libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
           python3-docutils
       - uses: actions/checkout@v4
-      - name: Run openvpn build
+      - name: Run openvpn build 2.6.x
         run: |
-          ./tests/ci/integration/run_openvpn_integration.sh
+          ./tests/ci/integration/run_openvpn_integration.sh release/2.6
+  openvpnMaster:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
+          sudo apt-get -y --no-install-recommends install \
+          cmake gcc ninja-build golang libnl-3-dev libnl-genl-3-dev \
+          libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
+          python3-docutils
+      - uses: actions/checkout@v4
+      - name: Run openvpn build main
+        run: |
+          ./tests/ci/integration/run_openvpn_integration.sh master
   libevent:
     if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -824,6 +824,16 @@ else()
   set(ARCH "generic")
 endif()
 
+# If target ARCH is 32-bit x86, ensure SSE2 is enabled since it's used by the optimized assembly.
+# To build for targets that do not support SSE2, use the `OPENSSL_NO_ASM` flag.
+if(ARCH STREQUAL "x86" AND NOT OPENSSL_NO_SSE2_FOR_TESTING)
+  # Most compilers enable SSE2 in 32-bit x86 by default, but in some cases GCC and Clang don't.
+  # See: https://github.com/aws/aws-lc/commit/6fe8dcbe96e580ea85233fdb98a142e42951b70b
+  if(GCC OR CLANG)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -msse2")
+  endif()
+endif()
+
 if(ENABLE_DATA_INDEPENDENT_TIMING_AARCH64)
   add_definitions(-DMAKE_DIT_AVAILABLE)
 endif()

diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-master.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-master.patch
@@ -0,0 +1,86 @@
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index fbd38f3d..b4a37d42 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -1397,7 +1397,7 @@ out:
+
+     return ret;
+ }
+-#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL)
++#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(OPENSSL_IS_AWSLC)
+ bool
+ ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
+              int secret_len, uint8_t *output, int output_len)
+@@ -1443,6 +1443,13 @@ out:
+     EVP_PKEY_CTX_free(pctx);
+     return ret;
+ }
++#elif defined(OPENSSL_IS_AWSLC) 
++bool
++ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec,
++             int slen, uint8_t *out1, int olen)
++{
++    CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0);
++}
+ #else  /* if defined(LIBRESSL_VERSION_NUMBER) */
+ /* LibreSSL and wolfSSL do not expose a TLS 1.0/1.1 PRF via the same APIs as
+  * OpenSSL does. As result they will only be able to support
+diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
+index 95417b22..61b632dd 100644
+--- a/src/openvpn/openssl_compat.h
++++ b/src/openvpn/openssl_compat.h
+@@ -75,7 +75,7 @@ X509_OBJECT_free(X509_OBJECT *obj)
+ #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
+ #endif
+
+-#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL
++#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL || defined(OPENSSL_IS_AWSLC)
+ #define SSL_get_peer_tmp_key SSL_get_server_tmp_key
+ #endif
+
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index 0d845f4a..c47a0c5d 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -1631,7 +1631,11 @@ tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
+
+     /* Among init methods, we only need the finish method */
+     EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL);
++#ifdef OPENSSL_IS_AWSLC
++    EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, NULL, ecdsa_sign_sig);
++#else
+     EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig);
++#endif
+
+     ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey));
+     if (!ec)
+@@ -1857,9 +1861,11 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
+             }
+             sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
+         }
+-
++        
++        int cnum;
+         if (tls_server)
+         {
++            cnum = sk_X509_NAME_num(cert_names);
+             SSL_CTX_set_client_CA_list(ctx->ctx, cert_names);
+         }
+
+@@ -1872,7 +1878,6 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
+
+         if (tls_server)
+         {
+-            int cnum = sk_X509_NAME_num(cert_names);
+             if (cnum != added)
+             {
+                 crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d "
+@@ -2520,7 +2525,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
+         crypto_msg(M_FATAL, "Cannot create SSL object");
+     }
+
+-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
++#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC)
+     STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
+ #else
+     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
diff --git a/tests/ci/integration/run_openvpn_integration.sh b/tests/ci/integration/run_openvpn_integration.sh
@@ -25,6 +25,12 @@ OPENVPN_PATCH_BUILD_FOLDER="${SRC_ROOT}/tests/ci/integration/openvpn_patch"
 AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
 AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
 
+# Check if branch name is passed as an argument
+if [ $# -eq 0 ]; then
+  echo "No branch name provided. Usage: $0 <branch_name>"
+  exit 1
+fi
+BRANCH_NAME=$1
 
 mkdir -p ${SCRATCH_FOLDER}
 rm -rf "${SCRATCH_FOLDER:?}"/*
@@ -52,10 +58,21 @@ function openvpn_build() {
 
 # TODO: Remove this when we make an upstream contribution.
 function openvpn_patch_build() {
-  for patchfile in $(find -L "${OPENVPN_PATCH_BUILD_FOLDER}" -type f -name '*.patch'); do
-    echo "Apply patch $patchfile..."
-    patch -p1 --quiet -i "$patchfile"
-  done
+  case "$BRANCH_NAME" in
+    "release/2.6")
+      patchfile="${OPENVPN_PATCH_BUILD_FOLDER}/aws-lc-openvpn2-6-x.patch"
+      ;;
+    "master")
+      patchfile="${OPENVPN_PATCH_BUILD_FOLDER}/aws-lc-openvpn-master.patch"
+      ;;
+    *)
+      echo "No specific patch file for branch: $BRANCH_NAME"
+      exit 1
+      ;;
+  esac
+
+  echo "Apply patch $patchfile..."
+  patch -p1 --quiet -i "$patchfile"
 }
 
 function openvpn_run_tests() {
@@ -65,10 +82,7 @@ function openvpn_run_tests() {
 }
 
 git clone https://github.com/OpenVPN/openvpn.git ${OPENVPN_SRC_FOLDER}
-
-# anchoring to tip of minor release 2.6.x for OpenVPN, currently not compatible
-# with tip of main
-cd ${OPENVPN_SRC_FOLDER} && git checkout release/2.6
+cd ${OPENVPN_SRC_FOLDER} && git checkout $BRANCH_NAME
 mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
 ls