Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OpenVPN to CI #1705

Merged
merged 19 commits into from
Jul 25, 2024
Merged

Add OpenVPN to CI #1705

merged 19 commits into from
Jul 25, 2024

Conversation

smittals2
Copy link
Contributor

@smittals2 smittals2 commented Jul 15, 2024

Description of changes:

  1. Added patch for TLS1_PRF to use alternative codepath in OpenVPN (for versions <= 2.6.x)
  2. integration script and workflow for Github CI

Call-outs:

  • We anchor to tip of the minor version 2.6.x. We can not support OpenVPN versions > 2.6 as tip of main has removed the alternate codepath for TLS1_PRF that we currently rely on. This change should be pulled into the next minor version of OpenVPN and will break AWS-LC compatibility.
  • Management interface is disabled when building openVPN, this will be changed in a later PR once we add in support.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@codecov-commenter
Copy link

codecov-commenter commented Jul 15, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.35%. Comparing base (98ccf4a) to head (a493a20).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1705      +/-   ##
==========================================
- Coverage   78.35%   78.35%   -0.01%     
==========================================
  Files         573      573              
  Lines       96065    96065              
  Branches    13764    13764              
==========================================
- Hits        75270    75268       -2     
- Misses      20195    20196       +1     
- Partials      600      601       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@smittals2 smittals2 marked this pull request as ready for review July 17, 2024 01:31
@smittals2 smittals2 requested a review from a team as a code owner July 17, 2024 01:31
@smittals2 smittals2 changed the title [DRAFT] Adding OpenVPN to our CI Adding OpenVPN to our CI Jul 17, 2024
@smittals2 smittals2 changed the title Adding OpenVPN to our CI Add OpenVPN to CI Jul 17, 2024
@smittals2 smittals2 requested a review from andrewhop July 17, 2024 17:24
@smittals2 smittals2 requested review from WillChilds-Klein and removed request for samuel40791765 July 23, 2024 07:24
@smittals2 smittals2 requested a review from andrewhop July 24, 2024 00:01
Comment on lines +48 to +51
+ int cnum;
if (tls_server)
{
+ cnum = sk_X509_NAME_num(cert_names);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not a blocker, but why is this change needed? looking at the source, the cert_names stack doesn't appear to be modified between these assignments of cnum.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once SSL_CTX_set_client_CA_list is called (line 52), in OpenSSL the passed in cert_names stack remains untouched but AWS-LC resets it. So later when sk_X509_NAME_num is called (previously line 59), we get a 0 length in AWS-LC which causes an error below when cnum != added (line 60). Therefore, we obtain the length of the stack before calling SSL_CTX_set_client_CA_list. This patch doesn't break behavior for OpenSSL either.

@smittals2 smittals2 merged commit fc14c55 into aws:main Jul 25, 2024
104 checks passed
skmcgrail added a commit that referenced this pull request Aug 1, 2024
## What's Changed
* Added options to x509 tool by @ecdeye in
#1696
* Add support to detect Neoverse V2 cores by @andrewhop in
#1706
* Move OCSP functions for Ruby out of internal.h by @samuel40791765 in
#1704
* Add aes-256-xts to EVP_get_cipherbyname by @torben-hansen in
#1707
* Match using CMAKE_SYSTEM_PROCESSOR_LOWER by @justsmth in
#1709
* Update MySQL to 9.0.0 by @skmcgrail in
#1685
* [EC] Unify scalar multiplication for P-256/384/521 by @dkostic in
#1693
* Adds const qualifier to ciphertext parameter in EVP_PKEY_decapsulate
by @maddeleine in #1713
* Upstream merge 2024 06 24 by @nebeid in
#1661
* NIST SP 800-108r1-upd1: KDF Counter Implementation by @skmcgrail in
#1644
* Upstream merge 2024 07 09 by @nebeid in
#1694
* Design for support of HMAC precomputed keys by @fabrice102 in
#1574
* Fix for select point from table in ec_nistp scalar_mul by @dkostic in
#1719
* X509toolcomparison by @ecdeye in
#1714
* AWS-LC s2n-bignum update 2024-07-22 by @dkostic in
#1718
* Add OpenVPN to CI by @smittals2 in
#1705
* Lower required Go version, add CI test for specific version by
@andrewhop in #1717
* ec2-test-framework enhancements and graviton 4 testing by
@samuel40791765 in #1715
* sha + chacha: Move AArch64/X86-64 dispatching to C. by @justsmth in
#1625
* Show number of pruned ec2 instances in dashboard by @samuel40791765 in
#1728
* rsa and md5 tools by @ecdeye in
#1722
* FIPS 203 IPD update: ML-KEM-IPD-768 and ML-KEM-IPD-1024 by @jakemas in
#1724
* bump mysql CI to 9.0.1 by @samuel40791765 in
#1727
* Support utility OCSP request functions by @samuel40791765 in
#1708
* add support for OCSP_SINGLERESP functions by @samuel40791765 in
#1703
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants