Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add netty-tcnative patches and tests #2006

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add netty-tcnative patches and tests #2006

wants to merge 2 commits into from

Conversation

skmcgrail
Copy link
Member

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@skmcgrail skmcgrail changed the title Add netty-tcnative patches and tests [DRAFT] Add netty-tcnative patches and tests Nov 20, 2024
@skmcgrail skmcgrail force-pushed the netty-tcnative branch 4 times, most recently from 908e58f to 0308878 Compare November 20, 2024 20:53
@codecov-commenter
Copy link

codecov-commenter commented Nov 20, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.90%. Comparing base (80f984e) to head (8e020ba).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2006      +/-   ##
==========================================
- Coverage   78.90%   78.90%   -0.01%     
==========================================
  Files         594      594              
  Lines      102415   102414       -1     
  Branches    14517    14517              
==========================================
- Hits        80812    80805       -7     
- Misses      20953    20958       +5     
- Partials      650      651       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚨 Try these New Features:

@skmcgrail skmcgrail force-pushed the netty-tcnative branch 5 times, most recently from 983fc3e to 45b03b3 Compare November 21, 2024 17:47
@skmcgrail skmcgrail changed the title [DRAFT] Add netty-tcnative patches and tests Add netty-tcnative patches and tests Nov 21, 2024
@skmcgrail skmcgrail marked this pull request as ready for review November 21, 2024 21:42
@skmcgrail skmcgrail requested a review from a team as a code owner November 21, 2024 21:42
@skmcgrail skmcgrail requested a review from justsmth November 25, 2024 17:30
andrewhop
andrewhop reviewed Dec 3, 2024
View reviewed changes
tests/ci/integration/run_netty_tcnative_integration.sh
mkdir -p "${INTERROGATE_DIR}"
pushd "${INTERROGATE_DIR}"
unzip "${TARGET_JAR}"
nm "META-INF/native/libnetty_tcnative_${UNAME_S}_${UNAME_P}.so" | grep awslc_api_version_num
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Double checking: if this grep doesn't find awslc_api_version_num does the whole GitHub job fail?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes because of the pipefail option configured above.

tests/ci/integration/run_netty_tcnative_integration.sh
Comment on lines +101 to +109
# Shared Build
wrapper_aws_lc_build "-DBUILD_SHARED_LIBS=1"

build_netty_tcnative -am -pl openssl-dynamic clean verify

# Shared FIPS Build
wrapper_aws_lc_build "-DBUILD_SHARED_LIBS=1" "-DFIPS=1"

build_netty_tcnative -am -pl openssl-dynamic clean verify
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there anyway to detect if these shared builds are using the system OpenSSL or AWS-LC?

tests/ci/integration/run_netty_tcnative_integration.sh
# Shared Build
wrapper_aws_lc_build "-DBUILD_SHARED_LIBS=1"

build_netty_tcnative -am -pl openssl-dynamic clean verify
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does verify run all of tcnative's tests?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, which there are very sparse/few tests.

tests/ci/integration/netty_tcnative_patch/netty-tcnative-parent-2.0.62.Final.patch
Comment on lines +413 to +420
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
sk_CRYPTO_BUFFER_pop_free(chain, CRYPTO_BUFFER_free);
#else
sk_X509_pop_free(chain, X509_free);
X509_free(cert);
-#endif // OPENSSL_IS_BORINGSSL
+#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't get some of these if/def's we have sk_X509_pop_free and X509_free

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is due to the code in netty-tcnative leveraging the TLS_with_buffers_method when constructing the SSL_CTX with SSL_CTX_new. This is a feature that BoringSSL added that Netty is taking advantage of to avoid usage of the more expensive X509 structure. This retains the certificate in a CRYPTO_BUFFER, thus alternative functions need to be used for the differing types. See our porting guide.

@skmcgrail skmcgrail marked this pull request as draft December 11, 2024 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewhop andrewhop andrewhop left review comments

@justsmth justsmth justsmth approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@skmcgrail @codecov-commenter @andrewhop @justsmth