Skip to content

Commit 582a63a

Browse files
committed
Merge branch 'sha3-xof' of github.com:jakemas/aws-lc into sha3-xof
2 parents ec4218f + cfcf293 commit 582a63a

File tree

3 files changed

+126
-11
lines changed

3 files changed

+126
-11
lines changed

.github/workflows/integrations.yml

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -175,7 +175,7 @@ jobs:
175175
- name: Run strongswan build
176176
run: |
177177
./tests/ci/integration/run_strongswan_integration.sh
178-
openvpn:
178+
openvpn2-6:
179179
if: github.repository_owner == 'aws'
180180
runs-on: ubuntu-latest
181181
steps:
@@ -187,9 +187,24 @@ jobs:
187187
libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
188188
python3-docutils
189189
- uses: actions/checkout@v4
190-
- name: Run openvpn build
190+
- name: Run openvpn build 2.6.x
191191
run: |
192-
./tests/ci/integration/run_openvpn_integration.sh
192+
./tests/ci/integration/run_openvpn_integration.sh release/2.6
193+
openvpnMaster:
194+
if: github.repository_owner == 'aws'
195+
runs-on: ubuntu-latest
196+
steps:
197+
- name: Install OS Dependencies
198+
run: |
199+
sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
200+
sudo apt-get -y --no-install-recommends install \
201+
cmake gcc ninja-build golang libnl-3-dev libnl-genl-3-dev \
202+
libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
203+
python3-docutils
204+
- uses: actions/checkout@v4
205+
- name: Run openvpn build main
206+
run: |
207+
./tests/ci/integration/run_openvpn_integration.sh master
193208
libevent:
194209
if: github.repository_owner == 'aws'
195210
runs-on: ubuntu-latest
Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
2+
index fbd38f3d..b4a37d42 100644
3+
--- a/src/openvpn/crypto_openssl.c
4+
+++ b/src/openvpn/crypto_openssl.c
5+
@@ -1397,7 +1397,7 @@ out:
6+
7+
return ret;
8+
}
9+
-#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL)
10+
+#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(OPENSSL_IS_AWSLC)
11+
bool
12+
ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
13+
int secret_len, uint8_t *output, int output_len)
14+
@@ -1443,6 +1443,13 @@ out:
15+
EVP_PKEY_CTX_free(pctx);
16+
return ret;
17+
}
18+
+#elif defined(OPENSSL_IS_AWSLC)
19+
+bool
20+
+ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec,
21+
+ int slen, uint8_t *out1, int olen)
22+
+{
23+
+ CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0);
24+
+}
25+
#else /* if defined(LIBRESSL_VERSION_NUMBER) */
26+
/* LibreSSL and wolfSSL do not expose a TLS 1.0/1.1 PRF via the same APIs as
27+
* OpenSSL does. As result they will only be able to support
28+
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
29+
index 95417b22..61b632dd 100644
30+
--- a/src/openvpn/openssl_compat.h
31+
+++ b/src/openvpn/openssl_compat.h
32+
@@ -75,7 +75,7 @@ X509_OBJECT_free(X509_OBJECT *obj)
33+
#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
34+
#endif
35+
36+
-#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL
37+
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL || defined(OPENSSL_IS_AWSLC)
38+
#define SSL_get_peer_tmp_key SSL_get_server_tmp_key
39+
#endif
40+
41+
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
42+
index 0d845f4a..c47a0c5d 100644
43+
--- a/src/openvpn/ssl_openssl.c
44+
+++ b/src/openvpn/ssl_openssl.c
45+
@@ -1631,7 +1631,11 @@ tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
46+
47+
/* Among init methods, we only need the finish method */
48+
EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL);
49+
+#ifdef OPENSSL_IS_AWSLC
50+
+ EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, NULL, ecdsa_sign_sig);
51+
+#else
52+
EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig);
53+
+#endif
54+
55+
ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey));
56+
if (!ec)
57+
@@ -1857,9 +1861,11 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
58+
}
59+
sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
60+
}
61+
-
62+
+
63+
+ int cnum;
64+
if (tls_server)
65+
{
66+
+ cnum = sk_X509_NAME_num(cert_names);
67+
SSL_CTX_set_client_CA_list(ctx->ctx, cert_names);
68+
}
69+
70+
@@ -1872,7 +1878,6 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
71+
72+
if (tls_server)
73+
{
74+
- int cnum = sk_X509_NAME_num(cert_names);
75+
if (cnum != added)
76+
{
77+
crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d "
78+
@@ -2520,7 +2525,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
79+
crypto_msg(M_FATAL, "Cannot create SSL object");
80+
}
81+
82+
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
83+
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC)
84+
STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
85+
#else
86+
STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);

tests/ci/integration/run_openvpn_integration.sh

Lines changed: 22 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,12 @@ OPENVPN_PATCH_BUILD_FOLDER="${SRC_ROOT}/tests/ci/integration/openvpn_patch"
2525
AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
2626
AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
2727

28+
# Check if branch name is passed as an argument
29+
if [ $# -eq 0 ]; then
30+
echo "No branch name provided. Usage: $0 <branch_name>"
31+
exit 1
32+
fi
33+
BRANCH_NAME=$1
2834

2935
mkdir -p ${SCRATCH_FOLDER}
3036
rm -rf "${SCRATCH_FOLDER:?}"/*
@@ -52,10 +58,21 @@ function openvpn_build() {
5258

5359
# TODO: Remove this when we make an upstream contribution.
5460
function openvpn_patch_build() {
55-
for patchfile in $(find -L "${OPENVPN_PATCH_BUILD_FOLDER}" -type f -name '*.patch'); do
56-
echo "Apply patch $patchfile..."
57-
patch -p1 --quiet -i "$patchfile"
58-
done
61+
case "$BRANCH_NAME" in
62+
"release/2.6")
63+
patchfile="${OPENVPN_PATCH_BUILD_FOLDER}/aws-lc-openvpn2-6-x.patch"
64+
;;
65+
"master")
66+
patchfile="${OPENVPN_PATCH_BUILD_FOLDER}/aws-lc-openvpn-master.patch"
67+
;;
68+
*)
69+
echo "No specific patch file for branch: $BRANCH_NAME"
70+
exit 1
71+
;;
72+
esac
73+
74+
echo "Apply patch $patchfile..."
75+
patch -p1 --quiet -i "$patchfile"
5976
}
6077

6178
function openvpn_run_tests() {
@@ -65,10 +82,7 @@ function openvpn_run_tests() {
6582
}
6683

6784
git clone https://github.com/OpenVPN/openvpn.git ${OPENVPN_SRC_FOLDER}
68-
69-
# anchoring to tip of minor release 2.6.x for OpenVPN, currently not compatible
70-
# with tip of main
71-
cd ${OPENVPN_SRC_FOLDER} && git checkout release/2.6
85+
cd ${OPENVPN_SRC_FOLDER} && git checkout $BRANCH_NAME
7286
mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
7387
ls
7488

0 commit comments

Comments
 (0)