From 850935e5f8f6bf93c031c9c3fdc78babaef7a4ff Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Wed, 8 May 2024 16:26:33 -0700
Subject: [PATCH 01/19] defined error codes

---
 include/openssl/pkcs8.h | 3 +++
 include/openssl/rsa.h   | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h
index 8774681e8b..21cc2d813b 100644
--- a/include/openssl/pkcs8.h
+++ b/include/openssl/pkcs8.h
@@ -287,4 +287,7 @@ BSSL_NAMESPACE_END
 #define PKCS8_R_UNSUPPORTED_OPTIONS 132
 #define PKCS8_R_AMBIGUOUS_FRIENDLY_NAME 133
 
+// error code defined for OpenVPN compatability
+#define PKCS12_R_MAC_VERIFY_FAILURE 0
+
 #endif  // OPENSSL_HEADER_PKCS8_H
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 894a008e5d..1929e6604d 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -935,4 +935,7 @@ BSSL_NAMESPACE_END
 #define RSA_R_BLOCK_TYPE_IS_NOT_02 148
 #define RSA_R_MISMATCHED_SIGNATURE 248
 
+// function code for OpenVPN compatibility
+#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT 0
+
 #endif  // OPENSSL_HEADER_RSA_H

From 65dca8983d0225712dd7b4c51cfab83d035a802f Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Wed, 8 May 2024 17:40:35 -0700
Subject: [PATCH 02/19] patches to compile openvpn along with integration
 script

---
 .../openvpn_patch/aws-lc-openvpn-temp.patch   | 56 ++++++++++++++++
 .../openvpn_patch/aws-lc-openvpn.patch        | 66 +++++++++++++++++++
 .../ci/integration/run_openvpn_integration.sh | 64 ++++++++++++++++++
 3 files changed, 186 insertions(+)
 create mode 100644 tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
 create mode 100644 tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
 create mode 100755 tests/ci/integration/run_openvpn_integration.sh

diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
new file mode 100644
index 0000000000..8cf08c8f94
--- /dev/null
+++ b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
@@ -0,0 +1,56 @@
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index 61c65186..e858e422 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -1457,7 +1457,9 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
+     int ret = false;
+ 
+     chunk = EVP_MD_size(md);
++#if !defined(OPENSSL_IS_AWSLC)
+     OPENSSL_assert(chunk >= 0);
++#endif
+ 
+     ctx = md_ctx_new();
+     ctx_tmp = md_ctx_new();
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index 6efef4f0..86e58fb4 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -1169,7 +1169,7 @@ end:
+ }
+ 
+ 
+-#if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER)
++#if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER) && !defined(OPENSSL_IS_AWSLC)
+ 
+ /* encrypt */
+ static int
+@@ -1503,24 +1503,28 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
+ #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+     if (EVP_PKEY_is_a(pkey, "RSA"))
+ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#if !defined(OPENSSL_IS_AWSLC)
+     {
+         if (!tls_ctx_use_external_rsa_key(ctx, pkey))
+         {
+             goto cleanup;
+         }
+     }
++#endif
+ #if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+     else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
+ #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+     else if (EVP_PKEY_is_a(pkey, "EC"))
+ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++#if !defined(OPENSSL_IS_AWSLC)
+     {
+         if (!tls_ctx_use_external_ec_key(ctx, pkey))
+         {
+             goto cleanup;
+         }
+     }
++#endif
+     else
+     {
+         crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate");
diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
new file mode 100644
index 0000000000..b546a5457f
--- /dev/null
+++ b/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
@@ -0,0 +1,66 @@
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index 61c65186..7a49ca86 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -1377,7 +1377,7 @@ out:
+ 
+     return ret;
+ }
+-#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_AWSLC)
+ bool
+ ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
+              int secret_len, uint8_t *output, int output_len)
+diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
+index c9fa7196..a48ef391 100644
+--- a/src/openvpn/openssl_compat.h
++++ b/src/openvpn/openssl_compat.h
+@@ -75,7 +75,7 @@ X509_OBJECT_free(X509_OBJECT *obj)
+ #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL)
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL) || defined(OPENSSL_IS_AWSLC)
+ #define SSL_get_peer_tmp_key SSL_get_server_tmp_key
+ #endif
+ 
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index 6efef4f0..cc95bcff 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -2214,7 +2214,7 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
+     /* Even though these methods use the deprecated NIDs instead of using
+      * string as new OpenSSL APIs do, there seem to be no API that replaces
+      * it yet */
+-#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL
++#if (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) && !defined(OPENSSL_IS_AWSLC)
+     if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid)
+         && peer_sig_nid != NID_undef)
+     {
+@@ -2223,7 +2223,8 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
+ #endif
+ 
+ #if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x1010000fL) \
+-    || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
++    || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL) &&
++    (!defined(OPENSSL_IS_AWSLC))
+     /* LibreSSL 3.7.x and 3.8.x implement this function but do not export it
+      * and fail linking with an unresolved symbol */
+     if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid)
+@@ -2232,7 +2233,6 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
+         peer_sig_type = get_sigtype(peer_sig_type_nid);
+     }
+ #endif
+-
+     if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef)
+     {
+         return;
+@@ -2315,7 +2315,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
+         crypto_msg(M_FATAL, "Cannot create SSL object");
+     }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
++#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC)
+     STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
+ #else
+     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
diff --git a/tests/ci/integration/run_openvpn_integration.sh b/tests/ci/integration/run_openvpn_integration.sh
new file mode 100755
index 0000000000..ecce9927cf
--- /dev/null
+++ b/tests/ci/integration/run_openvpn_integration.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -exu
+
+source tests/ci/common_posix_setup.sh
+
+# Set up environment.
+
+# SYS_ROOT
+#  - SRC_ROOT(aws-lc)
+#    - SCRATCH_FOLDER
+#      - OPENVPN_SRC_FOLDER
+#      - AWS_LC_BUILD_FOLDER
+#      - AWS_LC_INSTALL_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+SCRATCH_FOLDER="${SRC_ROOT}/OPENVPN_BUILD_ROOT"
+OPENVPN_SRC_FOLDER="${SCRATCH_FOLDER}/openvpn"
+OPENVPN_PATCH_BUILD_FOLDER="${SRC_ROOT}/tests/ci/integration/openvpn_patch"
+OPENVPN_BUILD_PREFIX="${OPENVPN_SRC_FOLDER}/build/install"
+OPENVPN_BUILD_EPREFIX="${OPENVPN_SRC_FOLDER}/build/exec-install"
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+
+
+mkdir -p ${SCRATCH_FOLDER}
+rm -rf "${SCRATCH_FOLDER:?}"/*
+cd ${SCRATCH_FOLDER}
+
+function openvpn_build() {
+  autoreconf -ivf
+  export OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" 
+  export OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib64 -lssl -lcrypto" 
+  ./configure \
+  --prefix $OPENVPN_BUILD_PREFIX \
+  --exec-prefix $OPENVPN_BUILD_EPREFIX \
+  --with-crypto-library=openssl \
+  --with-openssl-engine=no   
+  
+  make 
+  make install
+}
+
+# TODO: Remove this when we make an upstream contribution.
+function openvpn_patch_build() {
+  for patchfile in $(find -L "${OPENVPN_PATCH_BUILD_FOLDER}" -type f -name '*.patch'); do
+    echo "Apply patch $patchfile..."
+    patch -p1 --quiet -i "$patchfile"
+  done
+}
+
+git clone https://github.com/OpenVPN/openvpn.git ${OPENVPN_SRC_FOLDER} --depth 1
+mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
+ls
+
+aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=1
+
+# Build nginx from source.
+pushd ${OPENVPN_SRC_FOLDER}
+openvpn_patch_build
+openvpn_build
+popd

From f6eecfcf19159039ab957bb6874c57b5076f691b Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Wed, 8 May 2024 18:26:07 -0700
Subject: [PATCH 03/19] modified integration script and patches

---
 .../openvpn_patch/aws-lc-openvpn-temp.patch   | 17 ++++------
 .../openvpn_patch/aws-lc-openvpn.patch        | 32 +++++++------------
 .../ci/integration/run_openvpn_integration.sh |  4 +--
 3 files changed, 20 insertions(+), 33 deletions(-)

diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
index 8cf08c8f94..9b3ec9e930 100644
--- a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
+++ b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
@@ -13,7 +13,7 @@ index 61c65186..e858e422 100644
      ctx = md_ctx_new();
      ctx_tmp = md_ctx_new();
 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 6efef4f0..86e58fb4 100644
+index 6efef4f0..f799e531 100644
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
 @@ -1169,7 +1169,7 @@ end:
@@ -25,32 +25,29 @@ index 6efef4f0..86e58fb4 100644
  
  /* encrypt */
  static int
-@@ -1503,24 +1503,28 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
- #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+@@ -1504,10 +1504,12 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
      if (EVP_PKEY_is_a(pkey, "RSA"))
  #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#if !defined(OPENSSL_IS_AWSLC)
      {
++#if !defined(OPENSSL_IS_AWSLC)
          if (!tls_ctx_use_external_rsa_key(ctx, pkey))
          {
              goto cleanup;
          }
-     }
 +#endif
+     }
  #if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
  #if OPENSSL_VERSION_NUMBER < 0x30000000L
-     else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
- #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+@@ -1516,10 +1518,12 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
      else if (EVP_PKEY_is_a(pkey, "EC"))
  #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#if !defined(OPENSSL_IS_AWSLC)
      {
++#if !defined(OPENSSL_IS_AWSLC)
          if (!tls_ctx_use_external_ec_key(ctx, pkey))
          {
              goto cleanup;
          }
-     }
 +#endif
+     }
      else
      {
-         crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate");
diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
index b546a5457f..c20d47c4ad 100644
--- a/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
+++ b/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
@@ -25,37 +25,26 @@ index c9fa7196..a48ef391 100644
  #endif
  
 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 6efef4f0..cc95bcff 100644
+index 6efef4f0..d5786d47 100644
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
-@@ -2214,7 +2214,7 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
+@@ -2211,6 +2211,7 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
+     const char *peer_sig = "unknown";
+     const char *peer_sig_type = "unknown type";
+ 
++#if !defined(OPENSSL_IS_AWSLC)
      /* Even though these methods use the deprecated NIDs instead of using
       * string as new OpenSSL APIs do, there seem to be no API that replaces
       * it yet */
--#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL
-+#if (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL) && !defined(OPENSSL_IS_AWSLC)
-     if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid)
-         && peer_sig_nid != NID_undef)
-     {
-@@ -2223,7 +2223,8 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
- #endif
- 
- #if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x1010000fL) \
--    || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
-+    || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL) &&
-+    (!defined(OPENSSL_IS_AWSLC))
-     /* LibreSSL 3.7.x and 3.8.x implement this function but do not export it
-      * and fail linking with an unresolved symbol */
-     if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid)
-@@ -2232,7 +2233,6 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
-         peer_sig_type = get_sigtype(peer_sig_type_nid);
+@@ -2233,6 +2234,7 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
      }
  #endif
--
+ 
++#endif /* OPENSSL_IS_AWSLC */
      if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef)
      {
          return;
-@@ -2315,7 +2315,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
+@@ -2315,7 +2317,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
          crypto_msg(M_FATAL, "Cannot create SSL object");
      }
  
@@ -64,3 +53,4 @@ index 6efef4f0..cc95bcff 100644
      STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
  #else
      STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
+ls
\ No newline at end of file
diff --git a/tests/ci/integration/run_openvpn_integration.sh b/tests/ci/integration/run_openvpn_integration.sh
index ecce9927cf..6bab1b988a 100755
--- a/tests/ci/integration/run_openvpn_integration.sh
+++ b/tests/ci/integration/run_openvpn_integration.sh
@@ -31,8 +31,6 @@ cd ${SCRATCH_FOLDER}
 
 function openvpn_build() {
   autoreconf -ivf
-  export OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" 
-  export OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib64 -lssl -lcrypto" 
   ./configure \
   --prefix $OPENVPN_BUILD_PREFIX \
   --exec-prefix $OPENVPN_BUILD_EPREFIX \
@@ -60,5 +58,7 @@ aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD
 # Build nginx from source.
 pushd ${OPENVPN_SRC_FOLDER}
 openvpn_patch_build
+export OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" 
+export OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib64 -lssl -lcrypto" 
 openvpn_build
 popd

From fd44025b55a41e87dff2ab475f3d2c91906390b2 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Thu, 9 May 2024 16:18:15 -0700
Subject: [PATCH 04/19] changed patches for openvpn

---
 .../openvpn_patch/aws-lc-openvpn-temp.patch   | 14 ------------
 .../openvpn_patch/aws-lc-openvpn.patch        | 22 ++++++++++++++++---
 2 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
index 9b3ec9e930..09e1861319 100644
--- a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
+++ b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
@@ -1,17 +1,3 @@
-diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index 61c65186..e858e422 100644
---- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -1457,7 +1457,9 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
-     int ret = false;
- 
-     chunk = EVP_MD_size(md);
-+#if !defined(OPENSSL_IS_AWSLC)
-     OPENSSL_assert(chunk >= 0);
-+#endif
- 
-     ctx = md_ctx_new();
-     ctx_tmp = md_ctx_new();
 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
 index 6efef4f0..f799e531 100644
 --- a/src/openvpn/ssl_openssl.c
diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
index c20d47c4ad..919da7af90 100644
--- a/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
+++ b/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
@@ -1,8 +1,16 @@
 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index 61c65186..7a49ca86 100644
+index 61c65186..bbeb5c14 100644
 --- a/src/openvpn/crypto_openssl.c
 +++ b/src/openvpn/crypto_openssl.c
-@@ -1377,7 +1377,7 @@ out:
+@@ -38,6 +38,7 @@
+ #include "buffer.h"
+ #include "integer.h"
+ #include "crypto.h"
++#include "error.h"
+ #include "crypto_backend.h"
+ #include "openssl_compat.h"
+ 
+@@ -1377,7 +1378,7 @@ out:
  
      return ret;
  }
@@ -11,6 +19,15 @@ index 61c65186..7a49ca86 100644
  bool
  ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
               int secret_len, uint8_t *output, int output_len)
+@@ -1457,7 +1458,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
+     int ret = false;
+ 
+     chunk = EVP_MD_size(md);
+-    OPENSSL_assert(chunk >= 0);
++    ASSERT(chunk >= 0);
+ 
+     ctx = md_ctx_new();
+     ctx_tmp = md_ctx_new();
 diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
 index c9fa7196..a48ef391 100644
 --- a/src/openvpn/openssl_compat.h
@@ -53,4 +70,3 @@ index 6efef4f0..d5786d47 100644
      STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
  #else
      STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
-ls
\ No newline at end of file

From ba8da48deb3190344ebf9e6e9dd11bd2701f4101 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Thu, 30 May 2024 23:11:33 -0700
Subject: [PATCH 05/19] added pkcs8 to doc.config

---
 util/doc.config | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/util/doc.config b/util/doc.config
index 68c739e20c..83c5a563b7 100644
--- a/util/doc.config
+++ b/util/doc.config
@@ -52,7 +52,8 @@
       "include/openssl/evp.h",
       "include/openssl/hpke.h",
       "include/openssl/kdf.h",
-      "include/openssl/ocsp.h"
+      "include/openssl/ocsp.h",
+      "include/openssl/pkcs8.h"
     ]
   },{
     "Name": "Legacy ASN.1 and X.509 implementation (documentation in progress)",

From 3f7cf165888090c4132438320a54dff3040ebb9c Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Thu, 30 May 2024 23:12:58 -0700
Subject: [PATCH 06/19] changed comment for error code

---
 include/openssl/pkcs8.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h
index 21cc2d813b..1e2087ccee 100644
--- a/include/openssl/pkcs8.h
+++ b/include/openssl/pkcs8.h
@@ -287,7 +287,8 @@ BSSL_NAMESPACE_END
 #define PKCS8_R_UNSUPPORTED_OPTIONS 132
 #define PKCS8_R_AMBIGUOUS_FRIENDLY_NAME 133
 
-// error code defined for OpenVPN compatability
+// PKCS12_R_MAC_VERIFY_FAILURE is an error code defined for OpenVPN
+// compatability
 #define PKCS12_R_MAC_VERIFY_FAILURE 0
 
 #endif  // OPENSSL_HEADER_PKCS8_H

From 313ebd1b7268298e231a24257b95811d1333b429 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Thu, 30 May 2024 23:24:23 -0700
Subject: [PATCH 07/19] added one alias mapping for OpenVPN CLI

---
 crypto/cipher_extra/cipher_extra.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c
index 6ef657dcb4..ba9976f715 100644
--- a/crypto/cipher_extra/cipher_extra.c
+++ b/crypto/cipher_extra/cipher_extra.c
@@ -103,7 +103,8 @@ static const struct {
 } kCipherAliases[] = {
     {"3des", "des-ede3-cbc"},
     {"aes256", "aes-256-cbc"},
-    {"aes128", "aes-128-cbc"}
+    {"aes128", "aes-128-cbc"},
+    {"id-aes128-gcm", "aes-128-gcm"}
 };
 
 const EVP_CIPHER *EVP_get_cipherbynid(int nid) {

From 4f17b8d2af82174ed1c1726d33bc2aa26bb8ee5b Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Sun, 2 Jun 2024 19:29:14 -0700
Subject: [PATCH 08/19] changed error code for PKCS12

---
 include/openssl/pkcs8.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h
index 1e2087ccee..0bdec8cc00 100644
--- a/include/openssl/pkcs8.h
+++ b/include/openssl/pkcs8.h
@@ -288,7 +288,8 @@ BSSL_NAMESPACE_END
 #define PKCS8_R_AMBIGUOUS_FRIENDLY_NAME 133
 
 // PKCS12_R_MAC_VERIFY_FAILURE is an error code defined for OpenVPN
-// compatability
-#define PKCS12_R_MAC_VERIFY_FAILURE 0
+// compatability. It points to our equivalent for this OpenSSL error,
+// |PKCS8_R_INCORRECT_PASSWORD|
+#define PKCS12_R_MAC_VERIFY_FAILURE PKCS8_R_INCORRECT_PASSWORD
 
 #endif  // OPENSSL_HEADER_PKCS8_H

From c66c036b36b1ec25ab9f159cb23557b18a6004b5 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Sun, 2 Jun 2024 19:31:41 -0700
Subject: [PATCH 09/19] changed comment for RSA function code

---
 include/openssl/rsa.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 1929e6604d..eaf9f8d7df 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -935,7 +935,8 @@ BSSL_NAMESPACE_END
 #define RSA_R_BLOCK_TYPE_IS_NOT_02 148
 #define RSA_R_MISMATCHED_SIGNATURE 248
 
-// function code for OpenVPN compatibility
+// RSA_F_RSA_OSSL_PRIVATE_ENCRYPT is a function code defined
+// for OpenVPN compatibility, AWS-LC does not support them
 #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT 0
 
 #endif  // OPENSSL_HEADER_RSA_H

From a8a83f0cd55d073e354be0e373c812f50ef722e7 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Sun, 2 Jun 2024 20:37:04 -0700
Subject: [PATCH 10/19] removed old patches and integration script

---
 .../openvpn_patch/aws-lc-openvpn-temp.patch   | 39 ----------
 .../openvpn_patch/aws-lc-openvpn.patch        | 72 -------------------
 .../ci/integration/run_openvpn_integration.sh | 64 -----------------
 3 files changed, 175 deletions(-)
 delete mode 100644 tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
 delete mode 100644 tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
 delete mode 100755 tests/ci/integration/run_openvpn_integration.sh

diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
deleted file mode 100644
index 09e1861319..0000000000
--- a/tests/ci/integration/openvpn_patch/aws-lc-openvpn-temp.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 6efef4f0..f799e531 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -1169,7 +1169,7 @@ end:
- }
- 
- 
--#if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER)
-+#if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER) && !defined(OPENSSL_IS_AWSLC)
- 
- /* encrypt */
- static int
-@@ -1504,10 +1504,12 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
-     if (EVP_PKEY_is_a(pkey, "RSA"))
- #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-     {
-+#if !defined(OPENSSL_IS_AWSLC)
-         if (!tls_ctx_use_external_rsa_key(ctx, pkey))
-         {
-             goto cleanup;
-         }
-+#endif
-     }
- #if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
-@@ -1516,10 +1518,12 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
-     else if (EVP_PKEY_is_a(pkey, "EC"))
- #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-     {
-+#if !defined(OPENSSL_IS_AWSLC)
-         if (!tls_ctx_use_external_ec_key(ctx, pkey))
-         {
-             goto cleanup;
-         }
-+#endif
-     }
-     else
-     {
diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
deleted file mode 100644
index 919da7af90..0000000000
--- a/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index 61c65186..bbeb5c14 100644
---- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -38,6 +38,7 @@
- #include "buffer.h"
- #include "integer.h"
- #include "crypto.h"
-+#include "error.h"
- #include "crypto_backend.h"
- #include "openssl_compat.h"
- 
-@@ -1377,7 +1378,7 @@ out:
- 
-     return ret;
- }
--#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
-+#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_AWSLC)
- bool
- ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
-              int secret_len, uint8_t *output, int output_len)
-@@ -1457,7 +1458,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
-     int ret = false;
- 
-     chunk = EVP_MD_size(md);
--    OPENSSL_assert(chunk >= 0);
-+    ASSERT(chunk >= 0);
- 
-     ctx = md_ctx_new();
-     ctx_tmp = md_ctx_new();
-diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
-index c9fa7196..a48ef391 100644
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -75,7 +75,7 @@ X509_OBJECT_free(X509_OBJECT *obj)
- #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
- #endif
- 
--#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL)
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL) || defined(OPENSSL_IS_AWSLC)
- #define SSL_get_peer_tmp_key SSL_get_server_tmp_key
- #endif
- 
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 6efef4f0..d5786d47 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -2211,6 +2211,7 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
-     const char *peer_sig = "unknown";
-     const char *peer_sig_type = "unknown type";
- 
-+#if !defined(OPENSSL_IS_AWSLC)
-     /* Even though these methods use the deprecated NIDs instead of using
-      * string as new OpenSSL APIs do, there seem to be no API that replaces
-      * it yet */
-@@ -2233,6 +2234,7 @@ print_peer_signature(SSL *ssl, char *buf, size_t buflen)
-     }
- #endif
- 
-+#endif /* OPENSSL_IS_AWSLC */
-     if (peer_sig_nid == NID_undef && peer_sig_type_nid == NID_undef)
-     {
-         return;
-@@ -2315,7 +2317,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
-         crypto_msg(M_FATAL, "Cannot create SSL object");
-     }
- 
--#if OPENSSL_VERSION_NUMBER < 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC)
-     STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
- #else
-     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
diff --git a/tests/ci/integration/run_openvpn_integration.sh b/tests/ci/integration/run_openvpn_integration.sh
deleted file mode 100755
index 6bab1b988a..0000000000
--- a/tests/ci/integration/run_openvpn_integration.sh
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/env bash
-# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0 OR ISC
-
-set -exu
-
-source tests/ci/common_posix_setup.sh
-
-# Set up environment.
-
-# SYS_ROOT
-#  - SRC_ROOT(aws-lc)
-#    - SCRATCH_FOLDER
-#      - OPENVPN_SRC_FOLDER
-#      - AWS_LC_BUILD_FOLDER
-#      - AWS_LC_INSTALL_FOLDER
-
-# Assumes script is executed from the root of aws-lc directory
-SCRATCH_FOLDER="${SRC_ROOT}/OPENVPN_BUILD_ROOT"
-OPENVPN_SRC_FOLDER="${SCRATCH_FOLDER}/openvpn"
-OPENVPN_PATCH_BUILD_FOLDER="${SRC_ROOT}/tests/ci/integration/openvpn_patch"
-OPENVPN_BUILD_PREFIX="${OPENVPN_SRC_FOLDER}/build/install"
-OPENVPN_BUILD_EPREFIX="${OPENVPN_SRC_FOLDER}/build/exec-install"
-AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
-AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
-
-
-mkdir -p ${SCRATCH_FOLDER}
-rm -rf "${SCRATCH_FOLDER:?}"/*
-cd ${SCRATCH_FOLDER}
-
-function openvpn_build() {
-  autoreconf -ivf
-  ./configure \
-  --prefix $OPENVPN_BUILD_PREFIX \
-  --exec-prefix $OPENVPN_BUILD_EPREFIX \
-  --with-crypto-library=openssl \
-  --with-openssl-engine=no   
-  
-  make 
-  make install
-}
-
-# TODO: Remove this when we make an upstream contribution.
-function openvpn_patch_build() {
-  for patchfile in $(find -L "${OPENVPN_PATCH_BUILD_FOLDER}" -type f -name '*.patch'); do
-    echo "Apply patch $patchfile..."
-    patch -p1 --quiet -i "$patchfile"
-  done
-}
-
-git clone https://github.com/OpenVPN/openvpn.git ${OPENVPN_SRC_FOLDER} --depth 1
-mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
-ls
-
-aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=1
-
-# Build nginx from source.
-pushd ${OPENVPN_SRC_FOLDER}
-openvpn_patch_build
-export OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" 
-export OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib64 -lssl -lcrypto" 
-openvpn_build
-popd

From c8ee3219e251990351b39aafd71d975dada83798 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Sun, 2 Jun 2024 21:04:28 -0700
Subject: [PATCH 11/19] added missing cipher mapping

---
 crypto/cipher_extra/cipher_extra.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c
index ba9976f715..9da3ee4f71 100644
--- a/crypto/cipher_extra/cipher_extra.c
+++ b/crypto/cipher_extra/cipher_extra.c
@@ -104,7 +104,8 @@ static const struct {
     {"3des", "des-ede3-cbc"},
     {"aes256", "aes-256-cbc"},
     {"aes128", "aes-128-cbc"},
-    {"id-aes128-gcm", "aes-128-gcm"}
+    {"id-aes128-gcm", "aes-128-gcm"},
+    {"id-aes256-gcm", "aes-256-gcm"}
 };
 
 const EVP_CIPHER *EVP_get_cipherbynid(int nid) {

From 13cedafd90cb6254a72bd316f401e76659640210 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Sun, 2 Jun 2024 21:14:24 -0700
Subject: [PATCH 12/19] added signature and signature_nid fucntions for SSL

---
 include/openssl/ssl.h | 10 ++++++++++
 ssl/ssl_lib.cc        | 31 +++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index e85894e46d..f0f104bc56 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -4895,6 +4895,16 @@ OPENSSL_EXPORT int SSL_get_shutdown(const SSL *ssl);
 // peer. If not applicable, it returns zero.
 OPENSSL_EXPORT uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl);
 
+// SSL_get_peer_signature_nid sets *psig_nid to the NID of the digest used by
+// the peer to sign TLS messages. Returns 1 on success and 0 on failure.
+OPENSSL_EXPORT int SSL_get_peer_signature_nid(const SSL *ssl, int *psig_nid);
+
+// SSL_get_peer_signature_type_nid sets *psigtype_nid to the signature type
+// used by the peer to sign TLS messages. The signature type is the NID of the
+// public key type used for signing. Returns 1 on success and 0 on failure.
+OPENSSL_EXPORT int SSL_get_peer_signature_type_nid(const SSL *ssl,
+                                                   int *psigtype_nid);
+
 // SSL_get_client_random writes up to |max_out| bytes of the most recent
 // handshake's client_random to |out| and returns the number of bytes written.
 // If |max_out| is zero, it returns the size of the client_random.
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 13d0050ca9..dcd83aac74 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -3047,6 +3047,37 @@ uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
   return session->peer_signature_algorithm;
 }
 
+int SSL_get_peer_signature_nid(const SSL *ssl, int *psig_nid) {
+  uint16_t sig_alg = SSL_get_peer_signature_algorithm(ssl);
+  if (sig_alg == 0) {
+    return 0;
+  }
+
+  const EVP_MD *digest_type = SSL_get_signature_algorithm_digest(sig_alg);
+  if (digest_type == nullptr) {
+    return 0;
+  }
+
+  *psig_nid = EVP_MD_nid(digest_type);
+  return 1;
+}
+
+int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid) {
+  uint16_t sig_alg = SSL_get_peer_signature_algorithm(ssl);
+  if (sig_alg == 0) {
+    return 0;
+  }
+
+  int sig_type = SSL_get_signature_algorithm_key_type(sig_alg);
+
+  if (sig_type == EVP_PKEY_NONE) {
+    return 0;
+  }
+
+  *psigtype_nid = sig_type;
+  return 1;
+}
+
 size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) {
   if (max_out == 0) {
     return sizeof(ssl->s3->client_random);

From 9f69f683ca7aa56cf5bfbfea24e2746b5776dfcb Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Sun, 2 Jun 2024 22:53:18 -0700
Subject: [PATCH 13/19] added temp test case for SSL_get_peer_signature_* funcs

---
 ssl/ssl_test.cc | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 8d512bf580..f5c1c303d2 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -9889,12 +9889,24 @@ TEST(SSLTest, ConnectionPropertiesDuringRenegotiate) {
     EXPECT_EQ(SSL_get_group_id(client.get()), SSL_GROUP_X25519);
     EXPECT_EQ(SSL_get_peer_signature_algorithm(client.get()),
               SSL_SIGN_RSA_PKCS1_SHA256);
+
+    int psig_nid;
+    EXPECT_TRUE(SSL_get_peer_signature_type_nid(client.get(), &psig_nid));
+    EXPECT_EQ(psig_nid, EVP_PKEY_RSA);
+    int digest_nid;
+    EXPECT_TRUE(SSL_get_peer_signature_nid(client.get(), &digest_nid));
+    EXPECT_EQ(digest_nid, NID_sha256);
+
     bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
     ASSERT_TRUE(peer);
     EXPECT_EQ(X509_cmp(cert.get(), peer.get()), 0);
   };
   check_properties();
 
+  // Client has not signed any TLS messages yet
+  EXPECT_FALSE(SSL_get_peer_signature_type_nid(server.get(), nullptr));
+  EXPECT_FALSE(SSL_get_peer_signature_nid(server.get(), nullptr));
+
   // The server sends a HelloRequest.
   ASSERT_NO_FATAL_FAILURE(WriteHelloRequest(server.get()));
 
@@ -9909,6 +9921,10 @@ TEST(SSLTest, ConnectionPropertiesDuringRenegotiate) {
   check_properties();
   EXPECT_EQ(SSL_CTX_sess_connect_renegotiate(ctx.get()), 1);
   EXPECT_EQ(SSL_CTX_sess_accept_renegotiate(ctx.get()), 0);
+
+  // Client does not sign any messages in renegotiation either
+  EXPECT_FALSE(SSL_get_peer_signature_type_nid(server.get(), nullptr));
+  EXPECT_FALSE(SSL_get_peer_signature_nid(server.get(), nullptr));
 }
 
 TEST(SSLTest, CopyWithoutEarlyData) {

From 034e920812fb54987e26d5fbb68c8283b18cac05 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Mon, 3 Jun 2024 20:23:04 -0700
Subject: [PATCH 14/19] added new test for mTLS to test client side for
 SSL_get_peer_signature_* funcs

---
 ssl/ssl_test.cc | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index f5c1c303d2..de8d31ac0b 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -9927,6 +9927,52 @@ TEST(SSLTest, ConnectionPropertiesDuringRenegotiate) {
   EXPECT_FALSE(SSL_get_peer_signature_nid(server.get(), nullptr));
 }
 
+TEST(SSLTest, SSLGetSignatureData) {
+  bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+  ASSERT_TRUE(ctx);
+  bssl::UniquePtr<X509> cert = GetECDSATestCertificate();
+  ASSERT_TRUE(cert);
+  bssl::UniquePtr<EVP_PKEY> key = GetECDSATestKey();
+  ASSERT_TRUE(key);
+  ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get()));
+  ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), key.get()));
+
+  // Explicitly configure |SSL_VERIFY_PEER| so both the client and server
+  // verify each other
+  SSL_CTX_set_custom_verify(
+          ctx.get(), SSL_VERIFY_PEER,
+          [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
+
+  ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_3_VERSION));
+  ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_VERSION));
+  ASSERT_TRUE(SSL_CTX_set1_sigalgs_list(ctx.get(), "ECDSA+SHA256"));
+
+  bssl::UniquePtr<SSL> client, server;
+  ASSERT_TRUE(CreateClientAndServer(&client, &server, ctx.get(), ctx.get()));
+
+  // Before handshake, neither client nor server has signed any messages
+  ASSERT_FALSE(SSL_get_peer_signature_nid(client.get(), nullptr));
+  ASSERT_FALSE(SSL_get_peer_signature_nid(server.get(), nullptr));
+  ASSERT_FALSE(SSL_get_peer_signature_type_nid(client.get(), nullptr));
+  ASSERT_FALSE(SSL_get_peer_signature_type_nid(server.get(), nullptr));
+
+  ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
+
+  // Both client and server verified each other, both have signed TLS messages
+  // now
+  int client_digest, client_sigtype;
+  ASSERT_TRUE(SSL_get_peer_signature_nid(server.get(), &client_digest));
+  ASSERT_TRUE(SSL_get_peer_signature_type_nid(server.get(), &client_sigtype));
+  ASSERT_EQ(client_sigtype, EVP_PKEY_EC);
+  ASSERT_EQ(client_digest, NID_sha256);
+
+  int server_digest, server_sigtype;
+  ASSERT_TRUE(SSL_get_peer_signature_nid(client.get(), &server_digest));
+  ASSERT_TRUE(SSL_get_peer_signature_type_nid(client.get(), &server_sigtype));
+  ASSERT_EQ(server_sigtype, EVP_PKEY_EC);
+  ASSERT_EQ(server_digest, NID_sha256);
+}
+
 TEST(SSLTest, CopyWithoutEarlyData) {
   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
   bssl::UniquePtr<SSL_CTX> server_ctx(

From 09fa5f99d0999de2897abbd438d938fc8f82af9b Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Mon, 3 Jun 2024 21:00:38 -0700
Subject: [PATCH 15/19] first patch file for openvpn symbols

---
 .../openvpn_patch/aws-lc-openvpn.patch        | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch

diff --git a/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch b/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
new file mode 100644
index 0000000000..6328b11768
--- /dev/null
+++ b/tests/ci/integration/openvpn_patch/aws-lc-openvpn.patch
@@ -0,0 +1,43 @@
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index 50683b67..eef80d54 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -1460,7 +1460,12 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
+     int ret = false;
+ 
+     chunk = EVP_MD_size(md);
++
++#if !defined(OPENSSL_IS_AWSLC)
+     OPENSSL_assert(chunk >= 0);
++#else
++    ASSERT(chunk >= 0);
++#endif
+ 
+     ctx = md_ctx_new();
+     ctx_tmp = md_ctx_new();
+diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
+index c9fa7196..a48ef391 100644
+--- a/src/openvpn/openssl_compat.h
++++ b/src/openvpn/openssl_compat.h
+@@ -75,7 +75,7 @@ X509_OBJECT_free(X509_OBJECT *obj)
+ #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL)
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL) || defined(OPENSSL_IS_AWSLC)
+ #define SSL_get_peer_tmp_key SSL_get_server_tmp_key
+ #endif
+ 
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index 4383e981..bd2039d3 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -2314,7 +2314,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
+         crypto_msg(M_FATAL, "Cannot create SSL object");
+     }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
++#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC)
+     STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
+ #else
+     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);

From 1685fec2267921488c2f09a47f34b7500ba0fbc9 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Wed, 5 Jun 2024 09:45:30 -0700
Subject: [PATCH 16/19] comment and style fixes

---
 include/openssl/pkcs8.h | 2 +-
 include/openssl/rsa.h   | 2 +-
 include/openssl/ssl.h   | 8 ++++----
 ssl/ssl_lib.cc          | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h
index 0bdec8cc00..4e68b907a7 100644
--- a/include/openssl/pkcs8.h
+++ b/include/openssl/pkcs8.h
@@ -287,7 +287,7 @@ BSSL_NAMESPACE_END
 #define PKCS8_R_UNSUPPORTED_OPTIONS 132
 #define PKCS8_R_AMBIGUOUS_FRIENDLY_NAME 133
 
-// PKCS12_R_MAC_VERIFY_FAILURE is an error code defined for OpenVPN
+// PKCS12_R_MAC_VERIFY_FAILURE is an error code defined for
 // compatability. It points to our equivalent for this OpenSSL error,
 // |PKCS8_R_INCORRECT_PASSWORD|
 #define PKCS12_R_MAC_VERIFY_FAILURE PKCS8_R_INCORRECT_PASSWORD
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index eaf9f8d7df..ba7f6fa2d3 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -936,7 +936,7 @@ BSSL_NAMESPACE_END
 #define RSA_R_MISMATCHED_SIGNATURE 248
 
 // RSA_F_RSA_OSSL_PRIVATE_ENCRYPT is a function code defined
-// for OpenVPN compatibility, AWS-LC does not support them
+// for compatibility. AWS-LC does not support function codes
 #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT 0
 
 #endif  // OPENSSL_HEADER_RSA_H
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index f0f104bc56..779bbad810 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -4895,13 +4895,13 @@ OPENSSL_EXPORT int SSL_get_shutdown(const SSL *ssl);
 // peer. If not applicable, it returns zero.
 OPENSSL_EXPORT uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl);
 
-// SSL_get_peer_signature_nid sets *psig_nid to the NID of the digest used by
-// the peer to sign TLS messages. Returns 1 on success and 0 on failure.
+// SSL_get_peer_signature_nid sets |psig_nid| to the NID of the digest used by
+// the peer to sign TLS messages. Returns one on success and zero on failure.
 OPENSSL_EXPORT int SSL_get_peer_signature_nid(const SSL *ssl, int *psig_nid);
 
-// SSL_get_peer_signature_type_nid sets *psigtype_nid to the signature type
+// SSL_get_peer_signature_type_nid sets |psigtype_nid| to the signature type
 // used by the peer to sign TLS messages. The signature type is the NID of the
-// public key type used for signing. Returns 1 on success and 0 on failure.
+// public key type used for signing. Returns one on success and zero on failure.
 OPENSSL_EXPORT int SSL_get_peer_signature_type_nid(const SSL *ssl,
                                                    int *psigtype_nid);
 
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index dcd83aac74..abe27d2574 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -3054,7 +3054,7 @@ int SSL_get_peer_signature_nid(const SSL *ssl, int *psig_nid) {
   }
 
   const EVP_MD *digest_type = SSL_get_signature_algorithm_digest(sig_alg);
-  if (digest_type == nullptr) {
+  if (digest_type == NULL) {
     return 0;
   }
 

From 7291d4b06e91097e8126d35ffaab5a0ed9f694bb Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Wed, 12 Jun 2024 15:01:54 -0700
Subject: [PATCH 17/19] added null checks for out

---
 ssl/ssl_lib.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index abe27d2574..81abc8023d 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -3048,6 +3048,10 @@ uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
 }
 
 int SSL_get_peer_signature_nid(const SSL *ssl, int *psig_nid) {
+  if(psig_nid == NULL) {
+    return 0;
+  }
+
   uint16_t sig_alg = SSL_get_peer_signature_algorithm(ssl);
   if (sig_alg == 0) {
     return 0;
@@ -3063,6 +3067,10 @@ int SSL_get_peer_signature_nid(const SSL *ssl, int *psig_nid) {
 }
 
 int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid) {
+  if(psigtype_nid == NULL) {
+    return 0;
+  }
+
   uint16_t sig_alg = SSL_get_peer_signature_algorithm(ssl);
   if (sig_alg == 0) {
     return 0;

From f20e64521cebd281e3444851da21d25409688c30 Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Fri, 14 Jun 2024 22:12:43 -0700
Subject: [PATCH 18/19] added another cipher mapping for openvpn tests

---
 crypto/cipher_extra/cipher_extra.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c
index 9da3ee4f71..f9a7e10cdb 100644
--- a/crypto/cipher_extra/cipher_extra.c
+++ b/crypto/cipher_extra/cipher_extra.c
@@ -105,6 +105,7 @@ static const struct {
     {"aes256", "aes-256-cbc"},
     {"aes128", "aes-128-cbc"},
     {"id-aes128-gcm", "aes-128-gcm"},
+    {"id-aes192-gcm", "aes-192-gcm"},
     {"id-aes256-gcm", "aes-256-gcm"}
 };
 

From 91f7e6461dfa88255ff9dc714d1c8ff8b6037fdc Mon Sep 17 00:00:00 2001
From: Shubham Mittal <smittals@amazon.com>
Date: Fri, 14 Jun 2024 22:15:10 -0700
Subject: [PATCH 19/19] made minor style changes

---
 include/openssl/ssl.h | 8 +++++---
 ssl/ssl_lib.cc        | 8 ++------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index bce846b8fd..aeb3d26dab 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -4899,12 +4899,14 @@ OPENSSL_EXPORT int SSL_get_shutdown(const SSL *ssl);
 OPENSSL_EXPORT uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl);
 
 // SSL_get_peer_signature_nid sets |psig_nid| to the NID of the digest used by
-// the peer to sign TLS messages. Returns one on success and zero on failure.
+// the peer to sign their TLS messages. Returns one on success and zero on
+// failure.
 OPENSSL_EXPORT int SSL_get_peer_signature_nid(const SSL *ssl, int *psig_nid);
 
 // SSL_get_peer_signature_type_nid sets |psigtype_nid| to the signature type
-// used by the peer to sign TLS messages. The signature type is the NID of the
-// public key type used for signing. Returns one on success and zero on failure.
+// used by the peer to sign their TLS messages. The signature type is the NID of
+// the public key type used for signing. Returns one on success and zero on
+// failure.
 OPENSSL_EXPORT int SSL_get_peer_signature_type_nid(const SSL *ssl,
                                                    int *psigtype_nid);
 
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 81abc8023d..4e07eac7df 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -3048,9 +3048,7 @@ uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
 }
 
 int SSL_get_peer_signature_nid(const SSL *ssl, int *psig_nid) {
-  if(psig_nid == NULL) {
-    return 0;
-  }
+  GUARD_PTR(psig_nid);
 
   uint16_t sig_alg = SSL_get_peer_signature_algorithm(ssl);
   if (sig_alg == 0) {
@@ -3067,9 +3065,7 @@ int SSL_get_peer_signature_nid(const SSL *ssl, int *psig_nid) {
 }
 
 int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid) {
-  if(psigtype_nid == NULL) {
-    return 0;
-  }
+  GUARD_PTR(psigtype_nid);
 
   uint16_t sig_alg = SSL_get_peer_signature_algorithm(ssl);
   if (sig_alg == 0) {