Add OpenVPN to CI (#1705)

### Description of changes: 1. Added patch for TLS1_PRF to use alternative codepath in OpenVPN (for versions <= 2.6.x) 2. integration script and workflow for Github CI ### Call-outs: - We anchor to tip of the minor version 2.6.x. We can not support OpenVPN versions > 2.6 as tip of main has removed the alternate codepath for TLS1_PRF that we currently rely on. This change should be pulled into the next minor version of OpenVPN and will break AWS-LC compatibility. - Management interface is disabled when building openVPN, this will be changed in a later PR once we add in support. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
aws · Jul 25, 2024 · fc14c55 · fc14c55
1 parent b7d7a99
commit fc14c55
Show file tree

Hide file tree

Showing 4 changed files with 129 additions and 27 deletions.
diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml
@@ -175,6 +175,21 @@ jobs:
       - name: Run strongswan build
         run: |
           ./tests/ci/integration/run_strongswan_integration.sh
+  openvpn:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y --no-install-recommends install \
+          cmake gcc ninja-build golang libnl-3-dev libnl-genl-3-dev \
+          libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
+          python3-docutils
+      - uses: actions/checkout@v4
+      - name: Run openvpn build
+        run: |
+          ./tests/ci/integration/run_openvpn_integration.sh
   libevent:
     if: github.repository_owner == 'aws'
     runs-on: ubuntu-latest

diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-cert.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-cert.patch
diff --git a/...ration/openvpn_patch/aws-lc-openvpn.patch → ...n/openvpn_patch/aws-lc-openvpn2-6-x.patch b/...ration/openvpn_patch/aws-lc-openvpn.patch → ...n/openvpn_patch/aws-lc-openvpn2-6-x.patch
@@ -1,8 +1,17 @@
 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index 50683b67..eef80d54 100644
+index fbc95ff7..e174ed76 100644
 --- a/src/openvpn/crypto_openssl.c
 +++ b/src/openvpn/crypto_openssl.c
-@@ -1460,7 +1460,12 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
+@@ -1398,7 +1398,7 @@ memcmp_constant_time(const void *a, const void *b, size_t size)
+     return CRYPTO_memcmp(a, b, size);
+ }
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_AWSLC)
+ bool
+ ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
+              int secret_len, uint8_t *output, int output_len)
+@@ -1478,7 +1478,12 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
      int ret = false;
 
      chunk = EVP_MD_size(md);
@@ -29,10 +38,29 @@ index c9fa7196..a48ef391 100644
  #endif
 
 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 4383e981..bd2039d3 100644
+index 2595f878..cf99c3ec 100644
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
-@@ -2314,7 +2314,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
+@@ -1658,8 +1658,10 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
+             sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
+         }
+
++        int cnum;
+         if (tls_server)
+         {
++            cnum = sk_X509_NAME_num(cert_names);
+             SSL_CTX_set_client_CA_list(ctx->ctx, cert_names);
+         }
+
+@@ -1672,7 +1674,6 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
+
+         if (tls_server)
+         {
+-            int cnum = sk_X509_NAME_num(cert_names);
+             if (cnum != added)
+             {
+                 crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d "
+@@ -2234,7 +2235,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
          crypto_msg(M_FATAL, "Cannot create SSL object");
      }
 

diff --git a/tests/ci/integration/run_openvpn_integration.sh b/tests/ci/integration/run_openvpn_integration.sh
@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -exu
+
+source tests/ci/common_posix_setup.sh
+
+# Set up environment.
+
+# SYS_ROOT
+#  - SRC_ROOT(aws-lc)
+#    - SCRATCH_FOLDER
+#      - OPENVPN_SRC_FOLDER
+#      - AWS_LC_BUILD_FOLDER
+#      - AWS_LC_INSTALL_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+SCRATCH_FOLDER="${SRC_ROOT}/OPENVPN_BUILD_ROOT"
+OPENVPN_SRC_FOLDER="${SCRATCH_FOLDER}/openvpn"
+OPENVPN_BUILD_PREFIX="${OPENVPN_SRC_FOLDER}/build/install"
+OPENVPN_BUILD_EPREFIX="${OPENVPN_SRC_FOLDER}/build/exec-install"
+OPENVPN_PATCH_BUILD_FOLDER="${SRC_ROOT}/tests/ci/integration/openvpn_patch"
+
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+
+
+mkdir -p ${SCRATCH_FOLDER}
+rm -rf "${SCRATCH_FOLDER:?}"/*
+cd ${SCRATCH_FOLDER}
+
+function openvpn_build() {
+  autoreconf -ivf
+
+  OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" \
+  OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib -lssl -lcrypto" \
+  ./configure \
+    --prefix="$OPENVPN_BUILD_PREFIX" \
+    --exec-prefix="$OPENVPN_BUILD_EPREFIX" \
+    --with-crypto-library=openssl \
+    --with-openssl-engine=no \
+    --disable-management
+
+  make -j install
+
+  export LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib"
+
+  local openvpn_executable="${OPENVPN_SRC_FOLDER}/build/exec-install/sbin/openvpn"
+  ldd ${openvpn_executable} \
+    | grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1
+}
+
+# TODO: Remove this when we make an upstream contribution.
+function openvpn_patch_build() {
+  for patchfile in $(find -L "${OPENVPN_PATCH_BUILD_FOLDER}" -type f -name '*.patch'); do
+    echo "Apply patch $patchfile..."
+    patch -p1 --quiet -i "$patchfile"
+  done
+}
+
+function openvpn_run_tests() {
+  # Explicitly running as sudo and passing in LD_LIBRARY_PATH as some OpenVPN
+  # tests run as sudo and LD_LIBRARY_PATH doesn't get inherited.
+  sudo LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib" make check
+}
+
+git clone https://github.com/OpenVPN/openvpn.git ${OPENVPN_SRC_FOLDER}
+
+# anchoring to tip of minor release 2.6.x for OpenVPN, currently not compatible
+# with tip of main
+cd ${OPENVPN_SRC_FOLDER} && git checkout release/2.6
+mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
+ls
+
+aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=Debug -DBUILD_SHARED_LIBS=1
+
+# Build openvpn from source.
+pushd ${OPENVPN_SRC_FOLDER}
+openvpn_patch_build
+openvpn_build
+openvpn_run_tests