diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml index 05f4501f31..834c50d698 100644 --- a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml +++ b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml @@ -480,7 +480,7 @@ batch: compute-type: BUILD_GENERAL1_MEDIUM image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_integration_latest variables: - AWS_LC_CI_TARGET: "tests/ci/integration/run_ruby_integration.sh ruby_3_3 ruby_3_2 ruby_3_1" + AWS_LC_CI_TARGET: "tests/ci/integration/run_ruby_integration.sh ruby_3_4 ruby_3_3 ruby_3_2" FIPS: 0 - identifier: ruby_release_fips_1_integration_x86_64 @@ -491,5 +491,5 @@ batch: compute-type: BUILD_GENERAL1_MEDIUM image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_integration_latest variables: - AWS_LC_CI_TARGET: "tests/ci/integration/run_ruby_integration.sh ruby_3_3 ruby_3_2 ruby_3_1" + AWS_LC_CI_TARGET: "tests/ci/integration/run_ruby_integration.sh ruby_3_4 ruby_3_3 ruby_3_2" FIPS: 1 \ No newline at end of file diff --git a/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch deleted file mode 100644 index c661cbeaa0..0000000000 --- a/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch +++ /dev/null @@ -1,618 +0,0 @@ -diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c -index 6c532ac..b4ca18b 100644 ---- a/ext/openssl/ossl.c -+++ b/ext/openssl/ossl.c -@@ -417,8 +417,7 @@ ossl_debug_set(VALUE self, VALUE val) - static VALUE - ossl_fips_mode_get(VALUE self) - { -- --#ifdef OPENSSL_FIPS -+#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) - VALUE enabled; - enabled = FIPS_mode() ? Qtrue : Qfalse; - return enabled; -@@ -443,7 +442,7 @@ static VALUE - ossl_fips_mode_set(VALUE self, VALUE enabled) - { - --#ifdef OPENSSL_FIPS -+#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) - if (RTEST(enabled)) { - int mode = FIPS_mode(); - if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ -@@ -1200,6 +1199,8 @@ Init_openssl(void) - rb_define_const(mOSSL, "OPENSSL_FIPS", - #ifdef OPENSSL_FIPS - Qtrue -+#elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time. -+ FIPS_mode() ? Qtrue : Qfalse - #else - Qfalse - #endif -diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c -index fb947df..969aa25 100644 ---- a/ext/openssl/ossl_pkcs12.c -+++ b/ext/openssl/ossl_pkcs12.c -@@ -134,6 +134,12 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self) - if (!NIL_P(keytype)) - ktype = NUM2INT(keytype); - -+#if defined(OPENSSL_IS_AWSLC) -+ if (ktype != 0) { -+ ossl_raise(rb_eArgError, "Unknown key usage type with AWS-LC %"PRIsVALUE, INT2NUM(ktype)); -+ } -+#endif -+ - obj = NewPKCS12(cPKCS12); - x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca); - p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s, -diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c -index 06d59c2..74f41db 100644 ---- a/ext/openssl/ossl_pkey_ec.c -+++ b/ext/openssl/ossl_pkey_ec.c -@@ -589,8 +589,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) - ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ - if (nid == NID_undef) - ossl_raise(eEC_GROUP, "unknown curve name (%"PRIsVALUE")", arg1); -- -+#if !defined(OPENSSL_IS_AWSLC) - group = EC_GROUP_new_by_curve_name(nid); -+#else -+ group = EC_GROUP_new_by_curve_name_mutable(nid); -+#endif - if (group == NULL) - ossl_raise(eEC_GROUP, "unable to create curve (%"PRIsVALUE")", arg1); - -@@ -1295,7 +1298,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self) - GetECPointGroup(self, group); - - rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated"); --#if !OSSL_OPENSSL_PREREQ(3, 0, 0) -+#if !OSSL_OPENSSL_PREREQ(3, 0, 0) && !defined(OPENSSL_IS_AWSLC) - if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1) - ossl_raise(cEC_POINT, "EC_POINT_make_affine"); - #endif -@@ -1444,7 +1447,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) - if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) - ossl_raise(eEC_POINT, NULL); - } else { --#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) -+#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC) - rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ - "supported by this OpenSSL version"); - #else -diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c -index 9a0682a..c289055 100644 ---- a/ext/openssl/ossl_ssl.c -+++ b/ext/openssl/ossl_ssl.c -@@ -1139,7 +1139,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) - rb_check_frozen(self); - GetSSLCTX(self, ctx); - --#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) -+#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) && !defined(OPENSSL_IS_AWSLC) - SSL_CTX_set_security_level(ctx, NUM2INT(value)); - #else - (void)ctx; -diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb -index 7e5b969..4521e62 100644 ---- a/test/openssl/test_asn1.rb -+++ b/test/openssl/test_asn1.rb -@@ -456,7 +456,8 @@ def test_basic_asn1data - encode_decode_test B(%w{ 81 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :CONTEXT_SPECIFIC) - encode_decode_test B(%w{ C1 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :PRIVATE) - encode_decode_test B(%w{ 1F 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 32, :UNIVERSAL) -- encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) -+ # AWS-LC does not support indefinite lengths with the UNIVERSAL tag. -+ encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) if !aws_lc? - encode_decode_test B(%w{ 41 02 AB CD }), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :APPLICATION) - encode_decode_test B(%w{ 41 81 80 } + %w{ AB CD } * 64), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 64), 1, :APPLICATION) - encode_decode_test B(%w{ 41 82 01 00 } + %w{ AB CD } * 128), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 128), 1, :APPLICATION) -diff --git a/test/openssl/test_bn.rb b/test/openssl/test_bn.rb -index 346602d..e7b30fa 100644 ---- a/test/openssl/test_bn.rb -+++ b/test/openssl/test_bn.rb -@@ -313,6 +313,8 @@ def test_argument_error - end - - def test_get_flags_and_set_flags -+ return if aws_lc? # AWS-LC does not support BN::CONSTTIME. -+ - e = OpenSSL::BN.new(999) - - assert_equal(0, e.get_flags(OpenSSL::BN::CONSTTIME)) -diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb -index 24a215a..8f4eb39 100644 ---- a/test/openssl/test_config.rb -+++ b/test/openssl/test_config.rb -@@ -42,6 +42,9 @@ def test_s_parse - end - - def test_s_parse_format -+ # AWS-LC removed support for parsing $foo variables. -+ return if aws_lc? -+ - c = OpenSSL::Config.parse(<<__EOC__) - baz =qx\t # "baz = qx" - -@@ -216,12 +219,12 @@ def test_get_value - @it.get_value(nil, 'HOME') # not allowed unlike Config#value - end - # fallback to 'default' ugly... -- assert_equal('.', @it.get_value('unknown', 'HOME')) -+ assert_equal('.', @it.get_value('unknown', 'HOME')) if !aws_lc? # AWS-LC does not support the fallback - end - - def test_get_value_ENV -- # LibreSSL removed support for NCONF_get_string(conf, "ENV", str) -- return if libressl? -+ # LibreSSL and AWS-LC removed support for NCONF_get_string(conf, "ENV", str) -+ return if libressl? || aws_lc? - - key = ENV.keys.first - assert_not_nil(key) # make sure we have at least one ENV var. -diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb -index 8cd474f..d811590 100644 ---- a/test/openssl/test_fips.rb -+++ b/test/openssl/test_fips.rb -@@ -5,12 +5,15 @@ - - class OpenSSL::TestFIPS < OpenSSL::TestCase - def test_fips_mode_is_reentrant -+ return if aws_lc? # AWS-LC's FIPS mode is decided at compile time. -+ - OpenSSL.fips_mode = false - OpenSSL.fips_mode = false - end - - def test_fips_mode_get -- return unless OpenSSL::OPENSSL_FIPS -+ return unless OpenSSL::OPENSSL_FIPS and !aws_lc? # AWS-LC's FIPS mode is decided at compile time. -+ - assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") - require #{__FILE__.dump} - -diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb -index ec67674..be21f47 100644 ---- a/test/openssl/test_pkcs12.rb -+++ b/test/openssl/test_pkcs12.rb -@@ -159,7 +159,6 @@ def test_create_with_mac_itr - DEFAULT_PBE_PKEYS, - DEFAULT_PBE_CERTS, - nil, -- nil, - 2048 - ) - -diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb -index ba8b93d..7a23104 100644 ---- a/test/openssl/test_pkcs7.rb -+++ b/test/openssl/test_pkcs7.rb -@@ -191,6 +191,8 @@ def test_set_type_encrypted - end - - def test_smime -+ pend "AWS-LC has no current support for SMIME with PKCS7" if aws_lc? -+ - store = OpenSSL::X509::Store.new - store.add_cert(@ca_cert) - ca_certs = [@ca_cert] -@@ -315,12 +317,42 @@ def test_split_content - AwlEke0Uze1367QKgxM0nc3SZDlptY7zPIJC5saWXb8Rt2bw2JxEBOTavrp+ZwJ8 - tcH961onq8Tme2ICaCzk - -----END PKCS7----- -+END -+ # NOTE: below PEM differs very slightly from upstream ruby -+ # in that it encodes the inner EncryptedContent in -+ # definite-length DER OCTET_STRING whereas upstream (i.e. -+ # OpenSSL) encodes EncryptedContent as indefinite-length -+ # BER OCTET_STRING. The discrepancy is due to AWS-LC's lack -+ # of support for indefinite OCTET_STRINGS. -+ pki_message_content_pem_awslc = < ctx { - ctx.ssl_version = :TLSv1_2 - ctx.ciphers = "aNULL" -@@ -1000,7 +1002,7 @@ def test_connect_certificate_verify_failed_exception_message - ctx.set_params - # OpenSSL <= 1.1.0: "self signed certificate in certificate chain" - # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain" -- assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) { -+ assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed|CERTIFICATE_VERIFY_FAILED/) { - server_connect(port, ctx) - } - } -@@ -1458,20 +1460,22 @@ def test_get_ephemeral_key - end - end - -- # DHE -- # TODO: How to test this with TLS 1.3? -- ctx_proc2 = proc { |ctx| -- ctx.ssl_version = :TLSv1_2 -- ctx.ciphers = "EDH" -- ctx.tmp_dh = Fixtures.pkey("dh-1") -- } -- start_server(ctx_proc: ctx_proc2) do |port| -- ctx = OpenSSL::SSL::SSLContext.new -- ctx.ssl_version = :TLSv1_2 -- ctx.ciphers = "EDH" -- server_connect(port, ctx) { |ssl| -- assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key -+ if !aws_lc? -+ # DHE -+ # TODO: How to test this with TLS 1.3? -+ ctx_proc2 = proc { |ctx| -+ ctx.ssl_version = :TLSv1_2 -+ ctx.ciphers = "EDH" -+ ctx.tmp_dh = Fixtures.pkey("dh-1") - } -+ start_server(ctx_proc: ctx_proc2) do |port| -+ ctx = OpenSSL::SSL::SSLContext.new -+ ctx.ssl_version = :TLSv1_2 -+ ctx.ciphers = "EDH" -+ server_connect(port, ctx) { |ssl| -+ assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key -+ } -+ end - end - - # ECDHE -@@ -1536,11 +1540,11 @@ def test_fallback_scsv - ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION - s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) - t = Thread.new { -- assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { -+ assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { - s2.connect - } - } -- assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { -+ assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { - s1.accept - } - t.join -@@ -1551,6 +1555,8 @@ def test_fallback_scsv - end - - def test_tmp_dh_callback -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? -+ - dh = Fixtures.pkey("dh-1") - called = false - ctx_proc = -> ctx { -@@ -1570,6 +1576,8 @@ def test_tmp_dh_callback - end - - def test_connect_works_when_setting_dh_callback_to_nil -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? -+ - ctx_proc = -> ctx { - ctx.max_version = :TLS1_2 - ctx.ciphers = "DH:!NULL" # use DH -@@ -1585,6 +1593,8 @@ def test_connect_works_when_setting_dh_callback_to_nil - end - - def test_tmp_dh -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? -+ - dh = Fixtures.pkey("dh-1") - ctx_proc = -> ctx { - ctx.max_version = :TLS1_2 -diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb -index b72b10d..0f376e2 100644 ---- a/test/openssl/test_ssl_session.rb -+++ b/test/openssl/test_ssl_session.rb -@@ -28,9 +28,10 @@ def test_session - end - end - -+ # PEM file updated to use TLS 1.2 with ECDHE-RSA-AES256-SHA. - DUMMY_SESSION = <<__EOS__ - -----BEGIN SSL SESSION PARAMETERS----- --MIIDzQIBAQICAwEEAgA5BCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad -+MIIDzQIBAQICAwMEAsAUBCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad - MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy - NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB - BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5 -@@ -54,9 +55,10 @@ def test_session - -----END SSL SESSION PARAMETERS----- - __EOS__ - -+ # PEM file updated to use TLS 1.1 with ECDHE-RSA-AES256-SHA. - DUMMY_SESSION_NO_EXT = <<-__EOS__ - -----BEGIN SSL SESSION PARAMETERS----- --MIIDCAIBAQICAwAEAgA5BCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+ -+MIIDCAIBAQICAwIEAsAUBCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+ - lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53 - hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B - AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi -@@ -120,7 +122,8 @@ def test_resumption - ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET - # Disable server-side session cache which is enabled by default - ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF -- ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) -+ # Session tickets must be retrieved via ctx.session_new_cb in TLS 1.3 in AWS-LC. -+ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) || aws_lc? - } - start_server(ctx_proc: ctx_proc) do |port| - sess1 = server_connect_with_session(port, nil, nil) { |ssl| -@@ -238,10 +241,12 @@ def test_ctx_client_session_cb - end - - server_connect_with_session(port, ctx, nil) { |ssl| -- assert_equal(1, ctx.session_cache_stats[:cache_num]) -+ # AWS-LC doesn't support internal session caching on the client, but -+ # the callback is still enabled as expected. -+ assert_equal(1, ctx.session_cache_stats[:cache_num]) if !aws_lc? - assert_equal(1, ctx.session_cache_stats[:connect_good]) - assert_equal([ssl, ssl.session], called[:new]) -- assert(ctx.session_remove(ssl.session)) -+ assert(ctx.session_remove(ssl.session)) if !aws_lc? - assert(!ctx.session_remove(ssl.session)) - if TEST_SESSION_REMOVE_CB - assert_equal([ctx, ssl.session], called[:remove]) -diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb -index d6c0e70..dad4036 100644 ---- a/test/openssl/test_x509store.rb -+++ b/test/openssl/test_x509store.rb -@@ -331,7 +331,7 @@ def test_verify_with_crl - def test_add_cert_duplicate - # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error - # if the given certificate is already in the X509_STORE -- return if openssl?(1, 1, 0) || libressl? -+ return if openssl?(1, 1, 0) || libressl? || aws_lc? - ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") - ca1_key = Fixtures.pkey("rsa-1") - ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil) -diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb -index 4ebcb98..b958c48 100644 ---- a/test/openssl/utils.rb -+++ b/test/openssl/utils.rb -@@ -2,10 +2,6 @@ - begin - require "openssl" - -- # Disable FIPS mode for tests for installations -- # where FIPS mode would be enabled by default. -- # Has no effect on all other installations. -- OpenSSL.fips_mode=false - rescue LoadError - end - -@@ -132,7 +128,7 @@ def get_subject_key_id(cert, hex: true) - end - - def openssl?(major = nil, minor = nil, fix = nil, patch = 0) -- return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") -+ return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") || OpenSSL::OPENSSL_VERSION.include?("AWS-LC") - return true unless major - OpenSSL::OPENSSL_VERSION_NUMBER >= - major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 -@@ -143,6 +139,12 @@ def libressl?(major = nil, minor = nil, fix = nil) - return false unless version - !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 - end -+ -+ def aws_lc?(major = nil, minor = nil, fix = nil) -+ version = OpenSSL::OPENSSL_VERSION.scan(/AWS-LC (\d+)\.(\d+)\.(\d+).*/)[0] -+ return false unless version -+ !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 -+ end - end - - class OpenSSL::TestCase < Test::Unit::TestCase diff --git a/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch index c535890672..ffb6e37d52 100644 --- a/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch +++ b/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch @@ -1,39 +1,38 @@ -diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c -index 6c532ac..b4ca18b 100644 ---- a/ext/openssl/ossl.c -+++ b/ext/openssl/ossl.c -@@ -417,8 +417,7 @@ ossl_debug_set(VALUE self, VALUE val) - static VALUE +diff --git ruby/ext/openssl/ossl.c ruby/ext/openssl/ossl.c +index 6c532ac..a53162c 100644 +--- ruby/ext/openssl/ossl.c ++++ ruby/ext/openssl/ossl.c +@@ -418,7 +418,7 @@ static VALUE ossl_fips_mode_get(VALUE self) { -- + -#ifdef OPENSSL_FIPS +#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) VALUE enabled; enabled = FIPS_mode() ? Qtrue : Qfalse; return enabled; -@@ -443,7 +442,7 @@ static VALUE +@@ -443,7 +443,7 @@ static VALUE ossl_fips_mode_set(VALUE self, VALUE enabled) { -#ifdef OPENSSL_FIPS +#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) if (RTEST(enabled)) { - int mode = FIPS_mode(); - if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ -@@ -1200,6 +1199,8 @@ Init_openssl(void) + int mode = FIPS_mode(); + if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ +@@ -1200,6 +1200,8 @@ Init_openssl(void) rb_define_const(mOSSL, "OPENSSL_FIPS", #ifdef OPENSSL_FIPS - Qtrue + Qtrue +#elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time. + FIPS_mode() ? Qtrue : Qfalse #else - Qfalse + Qfalse #endif -diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c +diff --git ruby/ext/openssl/ossl_pkcs12.c ruby/ext/openssl/ossl_pkcs12.c index fb947df..969aa25 100644 ---- a/ext/openssl/ossl_pkcs12.c -+++ b/ext/openssl/ossl_pkcs12.c +--- ruby/ext/openssl/ossl_pkcs12.c ++++ ruby/ext/openssl/ossl_pkcs12.c @@ -134,6 +134,12 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self) if (!NIL_P(keytype)) ktype = NUM2INT(keytype); @@ -47,18 +46,18 @@ index fb947df..969aa25 100644 obj = NewPKCS12(cPKCS12); x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca); p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s, -diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c -index 92842f9..ad59300 100644 ---- a/ext/openssl/ossl_pkey_ec.c -+++ b/ext/openssl/ossl_pkey_ec.c +diff --git ruby/ext/openssl/ossl_pkey_ec.c ruby/ext/openssl/ossl_pkey_ec.c +index 92842f9..1af95d0 100644 +--- ruby/ext/openssl/ossl_pkey_ec.c ++++ ruby/ext/openssl/ossl_pkey_ec.c @@ -601,8 +601,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) - ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ + ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ if (nid == NID_undef) ossl_raise(eEC_GROUP, "unknown curve name (%"PRIsVALUE")", arg1); - +#if !defined(OPENSSL_IS_AWSLC) group = EC_GROUP_new_by_curve_name(nid); -+#else ++#else /* EC_GROUPs are static and immutable by default in AWS-LC. */ + group = EC_GROUP_new_by_curve_name_mutable(nid); +#endif if (group == NULL) @@ -74,19 +73,29 @@ index 92842f9..ad59300 100644 ossl_raise(eEC_POINT, "EC_POINT_make_affine"); #endif @@ -1460,7 +1463,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) - if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) - ossl_raise(eEC_POINT, NULL); + if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) + ossl_raise(eEC_POINT, NULL); } else { -#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) +#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC) rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ "supported by this OpenSSL version"); #else -diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c -index f639926..b6b41d4 100644 ---- a/ext/openssl/ossl_ssl.c -+++ b/ext/openssl/ossl_ssl.c -@@ -1241,7 +1241,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) +diff --git ruby/ext/openssl/ossl_ssl.c ruby/ext/openssl/ossl_ssl.c +index f639926..82e4e26 100644 +--- ruby/ext/openssl/ossl_ssl.c ++++ ruby/ext/openssl/ossl_ssl.c +@@ -821,7 +821,9 @@ ossl_sslctx_setup(VALUE self) + #endif + + #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH ++#if !defined(OPENSSL_IS_AWSLC) /* AWS-LC has no support for TLS 1.3 PHA. */ + SSL_CTX_set_post_handshake_auth(ctx, 1); ++#endif + #endif + + val = rb_attr_get(self, id_i_cert_store); +@@ -1241,7 +1243,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) rb_check_frozen(self); GetSSLCTX(self, ctx); @@ -95,25 +104,24 @@ index f639926..b6b41d4 100644 SSL_CTX_set_security_level(ctx, NUM2INT(value)); #else (void)ctx; -diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb -index 7b1722e..67bbee0 100644 ---- a/test/openssl/test_asn1.rb -+++ b/test/openssl/test_asn1.rb -@@ -451,7 +451,8 @@ def test_basic_asn1data +diff --git ruby/test/openssl/test_asn1.rb ruby/test/openssl/test_asn1.rb +index 7b1722e..e09d680 100644 +--- ruby/test/openssl/test_asn1.rb ++++ ruby/test/openssl/test_asn1.rb +@@ -451,7 +451,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase encode_decode_test B(%w{ 81 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :CONTEXT_SPECIFIC) encode_decode_test B(%w{ C1 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :PRIVATE) encode_decode_test B(%w{ 1F 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 32, :UNIVERSAL) - encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) -+ # AWS-LC does not support indefinite lengths with the UNIVERSAL tag. -+ encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) if !aws_lc? ++ encode_decode_test B(%w{ 9F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :CONTEXT_SPECIFIC) encode_decode_test B(%w{ 41 02 AB CD }), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :APPLICATION) encode_decode_test B(%w{ 41 81 80 } + %w{ AB CD } * 64), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 64), 1, :APPLICATION) encode_decode_test B(%w{ 41 82 01 00 } + %w{ AB CD } * 128), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 128), 1, :APPLICATION) -diff --git a/test/openssl/test_bn.rb b/test/openssl/test_bn.rb -index 77af140..73657a7 100644 ---- a/test/openssl/test_bn.rb -+++ b/test/openssl/test_bn.rb -@@ -319,6 +319,8 @@ def test_argument_error +diff --git ruby/test/openssl/test_bn.rb ruby/test/openssl/test_bn.rb +index 77af140..d2007f4 100644 +--- ruby/test/openssl/test_bn.rb ++++ ruby/test/openssl/test_bn.rb +@@ -319,6 +319,8 @@ class OpenSSL::TestBN < OpenSSL::TestCase end def test_get_flags_and_set_flags @@ -122,11 +130,22 @@ index 77af140..73657a7 100644 e = OpenSSL::BN.new(999) assert_equal(0, e.get_flags(OpenSSL::BN::CONSTTIME)) -diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb -index 24a215a..8f4eb39 100644 ---- a/test/openssl/test_config.rb -+++ b/test/openssl/test_config.rb -@@ -42,6 +42,9 @@ def test_s_parse +@@ -362,7 +364,9 @@ class OpenSSL::TestBN < OpenSSL::TestCase + assert_equal(true, Ractor.new(@e2) { _1.negative? }.take) + assert_include(128..255, Ractor.new { OpenSSL::BN.rand(8)}.take) + assert_include(0...2**32, Ractor.new { OpenSSL::BN.generate_prime(32) }.take) +- assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ if !aws_lc? # AWS-LC does not support BN::CONSTTIME. ++ assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ end + end + end + end +diff --git ruby/test/openssl/test_config.rb ruby/test/openssl/test_config.rb +index 24a215a..7139e30 100644 +--- ruby/test/openssl/test_config.rb ++++ ruby/test/openssl/test_config.rb +@@ -42,6 +42,9 @@ __EOD__ end def test_s_parse_format @@ -136,12 +155,16 @@ index 24a215a..8f4eb39 100644 c = OpenSSL::Config.parse(<<__EOC__) baz =qx\t # "baz = qx" -@@ -216,12 +219,12 @@ def test_get_value +@@ -215,13 +218,15 @@ __EOC__ + assert_raise(TypeError) do @it.get_value(nil, 'HOME') # not allowed unlike Config#value end - # fallback to 'default' ugly... +- # fallback to 'default' ugly... - assert_equal('.', @it.get_value('unknown', 'HOME')) -+ assert_equal('.', @it.get_value('unknown', 'HOME')) if !aws_lc? # AWS-LC does not support the fallback ++ unless aws_lc? # AWS-LC does not support the fallback ++ # fallback to 'default' ugly... ++ assert_equal('.', @it.get_value('unknown', 'HOME')) ++ end end def test_get_value_ENV @@ -152,11 +175,11 @@ index 24a215a..8f4eb39 100644 key = ENV.keys.first assert_not_nil(key) # make sure we have at least one ENV var. -diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb +diff --git ruby/test/openssl/test_fips.rb ruby/test/openssl/test_fips.rb index 8cd474f..d811590 100644 ---- a/test/openssl/test_fips.rb -+++ b/test/openssl/test_fips.rb -@@ -5,12 +5,15 @@ +--- ruby/test/openssl/test_fips.rb ++++ ruby/test/openssl/test_fips.rb +@@ -5,12 +5,15 @@ if defined?(OpenSSL) class OpenSSL::TestFIPS < OpenSSL::TestCase def test_fips_mode_is_reentrant @@ -173,11 +196,11 @@ index 8cd474f..d811590 100644 assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") require #{__FILE__.dump} -diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb +diff --git ruby/test/openssl/test_pkcs12.rb ruby/test/openssl/test_pkcs12.rb index ec67674..be21f47 100644 ---- a/test/openssl/test_pkcs12.rb -+++ b/test/openssl/test_pkcs12.rb -@@ -159,7 +159,6 @@ def test_create_with_mac_itr +--- ruby/test/openssl/test_pkcs12.rb ++++ ruby/test/openssl/test_pkcs12.rb +@@ -159,7 +159,6 @@ module OpenSSL DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, nil, @@ -185,11 +208,11 @@ index ec67674..be21f47 100644 2048 ) -diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb -index ba8b93d..7a23104 100644 ---- a/test/openssl/test_pkcs7.rb -+++ b/test/openssl/test_pkcs7.rb -@@ -191,6 +191,8 @@ def test_set_type_encrypted +diff --git ruby/test/openssl/test_pkcs7.rb ruby/test/openssl/test_pkcs7.rb +index ba8b93d..358d61b 100644 +--- ruby/test/openssl/test_pkcs7.rb ++++ ruby/test/openssl/test_pkcs7.rb +@@ -191,6 +191,8 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase end def test_smime @@ -198,55 +221,29 @@ index ba8b93d..7a23104 100644 store = OpenSSL::X509::Store.new store.add_cert(@ca_cert) ca_certs = [@ca_cert] -@@ -315,12 +317,42 @@ def test_split_content - AwlEke0Uze1367QKgxM0nc3SZDlptY7zPIJC5saWXb8Rt2bw2JxEBOTavrp+ZwJ8 - tcH961onq8Tme2ICaCzk - -----END PKCS7----- -+END -+ # NOTE: below PEM differs very slightly from upstream ruby -+ # in that it encodes the inner EncryptedContent in -+ # definite-length DER OCTET_STRING whereas upstream (i.e. -+ # OpenSSL) encodes EncryptedContent as indefinite-length -+ # BER OCTET_STRING. The discrepancy is due to AWS-LC's lack -+ # of support for indefinite OCTET_STRINGS. -+ pki_message_content_pem_awslc = < ctx { ctx.ssl_version = :TLSv1_2 ctx.ciphers = "aNULL" -@@ -1494,20 +1496,22 @@ def test_get_ephemeral_key +@@ -1494,20 +1496,22 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end @@ -469,17 +461,17 @@ index db76f1d..ec33cda 100644 - ctx.ciphers = "EDH" - server_connect(port, ctx) { |ssl| - assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key -+ if !aws_lc? ++ if !aws_lc? # AWS-LC does not support DHE ciphersuites. + # DHE -+ # TODO: How to test this with TLS 1.3? ++ # TODO: SSL_CTX_set1_groups() is required for testing this with TLS 1.3 + ctx_proc2 = proc { |ctx| -+ ctx.ssl_version = :TLSv1_2 ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION + ctx.ciphers = "EDH" + ctx.tmp_dh = Fixtures.pkey("dh-1") } + start_server(ctx_proc: ctx_proc2) do |port| + ctx = OpenSSL::SSL::SSLContext.new -+ ctx.ssl_version = :TLSv1_2 ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION + ctx.ciphers = "EDH" + server_connect(port, ctx) { |ssl| + assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key @@ -488,9 +480,11 @@ index db76f1d..ec33cda 100644 end # ECDHE -@@ -1572,11 +1576,11 @@ def test_fallback_scsv +@@ -1571,12 +1575,13 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ctx2.enable_fallback_scsv ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ++ # AWS-LC has slightly different error messages in all-caps. t = Thread.new { - assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { + assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { @@ -502,17 +496,20 @@ index db76f1d..ec33cda 100644 s1.accept } t.join -@@ -1587,6 +1591,8 @@ def test_fallback_scsv +@@ -1587,6 +1592,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_tmp_dh_callback -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + dh = Fixtures.pkey("dh-1") called = false ctx_proc = -> ctx { -@@ -1654,7 +1660,7 @@ def test_ciphersuites_method_bogus_csuite +@@ -1652,9 +1659,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ssl_ctx = OpenSSL::SSL::SSLContext.new + pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=) ++ # AWS-LC has slightly different error messages in all-caps. assert_raise_with_message( OpenSSL::SSL::SSLError, - /SSL_CTX_set_ciphersuites: no cipher match/i @@ -520,8 +517,11 @@ index db76f1d..ec33cda 100644 ) { ssl_ctx.ciphersuites = 'BOGUS' } end -@@ -1698,11 +1704,13 @@ def test_ciphers_method_bogus_csuite +@@ -1696,13 +1704,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ssl_ctx = OpenSSL::SSL::SSLContext.new + ++ # AWS-LC has slightly different error messages in all-caps. assert_raise_with_message( OpenSSL::SSL::SSLError, - /SSL_CTX_set_cipher_list: no cipher match/i @@ -530,25 +530,25 @@ index db76f1d..ec33cda 100644 end def test_connect_works_when_setting_dh_callback_to_nil -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + ctx_proc = -> ctx { ctx.max_version = :TLS1_2 ctx.ciphers = "DH:!NULL" # use DH -@@ -1718,6 +1726,8 @@ def test_connect_works_when_setting_dh_callback_to_nil +@@ -1718,6 +1729,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_tmp_dh -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + dh = Fixtures.pkey("dh-1") ctx_proc = -> ctx { ctx.max_version = :TLS1_2 -diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb -index b243201..ccc764a 100644 ---- a/test/openssl/test_ssl_session.rb -+++ b/test/openssl/test_ssl_session.rb -@@ -28,9 +28,10 @@ def test_session +diff --git ruby/test/openssl/test_ssl_session.rb ruby/test/openssl/test_ssl_session.rb +index b243201..0059fb0 100644 +--- ruby/test/openssl/test_ssl_session.rb ++++ ruby/test/openssl/test_ssl_session.rb +@@ -28,9 +28,10 @@ class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase end end @@ -560,7 +560,7 @@ index b243201..ccc764a 100644 MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5 -@@ -54,9 +55,10 @@ def test_session +@@ -54,9 +55,10 @@ j+RBGfCFrrQbBdnkFI/ztgM= -----END SSL SESSION PARAMETERS----- __EOS__ @@ -572,7 +572,7 @@ index b243201..ccc764a 100644 lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53 hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi -@@ -120,7 +122,8 @@ def test_resumption +@@ -120,7 +122,8 @@ __EOS__ ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET # Disable server-side session cache which is enabled by default ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF @@ -582,26 +582,35 @@ index b243201..ccc764a 100644 } start_server(ctx_proc: ctx_proc) do |port| sess1 = server_connect_with_session(port, nil, nil) { |ssl| -@@ -238,10 +241,12 @@ def test_ctx_client_session_cb +@@ -238,14 +241,18 @@ __EOS__ end server_connect_with_session(port, ctx, nil) { |ssl| - assert_equal(1, ctx.session_cache_stats[:cache_num]) -+ # AWS-LC doesn't support internal session caching on the client, but -+ # the callback is still enabled as expected. -+ assert_equal(1, ctx.session_cache_stats[:cache_num]) if !aws_lc? assert_equal(1, ctx.session_cache_stats[:connect_good]) assert_equal([ssl, ssl.session], called[:new]) - assert(ctx.session_remove(ssl.session)) -+ assert(ctx.session_remove(ssl.session)) if !aws_lc? - assert(!ctx.session_remove(ssl.session)) - if TEST_SESSION_REMOVE_CB - assert_equal([ctx, ssl.session], called[:remove]) -diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb +- assert(!ctx.session_remove(ssl.session)) +- if TEST_SESSION_REMOVE_CB +- assert_equal([ctx, ssl.session], called[:remove]) ++ # AWS-LC doesn't support internal session caching on the client, but ++ # the callback is still enabled as expected. ++ unless aws_lc? ++ assert_equal(1, ctx.session_cache_stats[:cache_num]) ++ assert_equal(true, ctx.session_remove(ssl.session)) ++ if TEST_SESSION_REMOVE_CB ++ assert_equal([ctx, ssl.session], called[:remove]) ++ end + end ++ assert_equal(false, ctx.session_remove(ssl.session)) + } + end + end +diff --git ruby/test/openssl/test_x509store.rb ruby/test/openssl/test_x509store.rb index d6c0e70..dad4036 100644 ---- a/test/openssl/test_x509store.rb -+++ b/test/openssl/test_x509store.rb -@@ -331,7 +331,7 @@ def test_verify_with_crl +--- ruby/test/openssl/test_x509store.rb ++++ ruby/test/openssl/test_x509store.rb +@@ -331,7 +331,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase def test_add_cert_duplicate # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error # if the given certificate is already in the X509_STORE @@ -610,10 +619,10 @@ index d6c0e70..dad4036 100644 ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") ca1_key = Fixtures.pkey("rsa-1") ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil) -diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb -index 4ebcb98..b958c48 100644 ---- a/test/openssl/utils.rb -+++ b/test/openssl/utils.rb +diff --git ruby/test/openssl/utils.rb ruby/test/openssl/utils.rb +index 4ebcb98..18bb0c3 100644 +--- ruby/test/openssl/utils.rb ++++ ruby/test/openssl/utils.rb @@ -2,10 +2,6 @@ begin require "openssl" @@ -625,7 +634,7 @@ index 4ebcb98..b958c48 100644 rescue LoadError end -@@ -132,7 +128,7 @@ def get_subject_key_id(cert, hex: true) +@@ -132,7 +128,7 @@ module OpenSSL::TestUtils end def openssl?(major = nil, minor = nil, fix = nil, patch = 0) @@ -634,16 +643,29 @@ index 4ebcb98..b958c48 100644 return true unless major OpenSSL::OPENSSL_VERSION_NUMBER >= major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 -@@ -143,6 +139,12 @@ def libressl?(major = nil, minor = nil, fix = nil) +@@ -143,6 +139,10 @@ module OpenSSL::TestUtils return false unless version !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 end + -+ def aws_lc?(major = nil, minor = nil, fix = nil) -+ version = OpenSSL::OPENSSL_VERSION.scan(/AWS-LC (\d+)\.(\d+)\.(\d+).*/)[0] -+ return false unless version -+ !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 ++ def aws_lc? ++ OpenSSL::OPENSSL_VERSION.include?("AWS-LC") + end end class OpenSSL::TestCase < Test::Unit::TestCase +@@ -298,6 +298,14 @@ class OpenSSL::PKeyTestCase < OpenSSL::TestCase + assert_equal base.send(comp), test.send(comp) + } + end ++ ++ def assert_sign_verify_false_or_error ++ ret = yield ++ rescue => e ++ assert_kind_of(OpenSSL::PKey::PKeyError, e) ++ else ++ assert_equal(false, ret) ++ end + end + + module OpenSSL::Certs diff --git a/tests/ci/integration/ruby_patch/ruby_3_3/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_3/aws-lc-ruby-temp.patch index 3e2e34b1fd..4a0d76f00f 100644 --- a/tests/ci/integration/ruby_patch/ruby_3_3/aws-lc-ruby-temp.patch +++ b/tests/ci/integration/ruby_patch/ruby_3_3/aws-lc-ruby-temp.patch @@ -1,4 +1,4 @@ -diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c +diff --git ruby/ext/openssl/ossl.c ruby/ext/openssl/ossl.c index 00eded5..86cc918 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -18,21 +18,21 @@ index 00eded5..86cc918 100644 -#elif defined(OPENSSL_FIPS) +#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) if (RTEST(enabled)) { - int mode = FIPS_mode(); - if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ + int mode = FIPS_mode(); + if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ @@ -1113,6 +1113,8 @@ Init_openssl(void) Qtrue #elif defined(OPENSSL_FIPS) - Qtrue + Qtrue +#elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time. + FIPS_mode() ? Qtrue : Qfalse #else - Qfalse + Qfalse #endif -diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c -index 164b2da..c4a8f94 100644 ---- a/ext/openssl/ossl_pkcs12.c -+++ b/ext/openssl/ossl_pkcs12.c +diff --git ruby/ext/openssl/ossl_pkcs12.c ruby/ext/openssl/ossl_pkcs12.c +index fb947df..969aa25 100644 +--- ruby/ext/openssl/ossl_pkcs12.c ++++ ruby/ext/openssl/ossl_pkcs12.c @@ -134,6 +134,12 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self) if (!NIL_P(keytype)) ktype = NUM2INT(keytype); @@ -46,24 +46,24 @@ index 164b2da..c4a8f94 100644 obj = NewPKCS12(cPKCS12); x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca); p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s, -diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c -index 4b3a1fd..aa7b234 100644 ---- a/ext/openssl/ossl_pkey_ec.c -+++ b/ext/openssl/ossl_pkey_ec.c -@@ -657,8 +657,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) - ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ +diff --git ruby/ext/openssl/ossl_pkey_ec.c ruby/ext/openssl/ossl_pkey_ec.c +index 92842f9..1af95d0 100644 +--- ruby/ext/openssl/ossl_pkey_ec.c ++++ ruby/ext/openssl/ossl_pkey_ec.c +@@ -601,8 +601,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) + ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ if (nid == NID_undef) ossl_raise(eEC_GROUP, "unknown curve name (%"PRIsVALUE")", arg1); - +#if !defined(OPENSSL_IS_AWSLC) group = EC_GROUP_new_by_curve_name(nid); -+#else ++#else /* EC_GROUPs are static and immutable by default in AWS-LC. */ + group = EC_GROUP_new_by_curve_name_mutable(nid); +#endif if (group == NULL) ossl_raise(eEC_GROUP, "unable to create curve (%"PRIsVALUE")", arg1); -@@ -1367,7 +1370,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self) +@@ -1311,7 +1314,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self) GetECPointGroup(self, group); rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated"); @@ -72,47 +72,56 @@ index 4b3a1fd..aa7b234 100644 if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1) ossl_raise(eEC_POINT, "EC_POINT_make_affine"); #endif -@@ -1516,7 +1519,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) - if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) - ossl_raise(eEC_POINT, NULL); +@@ -1460,7 +1463,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) + if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) + ossl_raise(eEC_POINT, NULL); } else { -#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) +#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC) rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ "supported by this OpenSSL version"); #else -diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c -index 236d455..f6aa0eb 100644 ---- a/ext/openssl/ossl_ssl.c -+++ b/ext/openssl/ossl_ssl.c +diff --git ruby/ext/openssl/ossl_ssl.c ruby/ext/openssl/ossl_ssl.c +index f639926..4c74476 100644 +--- ruby/ext/openssl/ossl_ssl.c ++++ ruby/ext/openssl/ossl_ssl.c +@@ -821,7 +821,9 @@ ossl_sslctx_setup(VALUE self) + #endif + + #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH ++#if !defined(OPENSSL_IS_AWSLC) /* AWS-LC has no support for TLS 1.3 PHA. */ + SSL_CTX_set_post_handshake_auth(ctx, 1); ++#endif + #endif + + val = rb_attr_get(self, id_i_cert_store); @@ -1241,7 +1241,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) rb_check_frozen(self); GetSSLCTX(self, ctx); - + -#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) +#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) && !defined(OPENSSL_IS_AWSLC) SSL_CTX_set_security_level(ctx, NUM2INT(value)); #else (void)ctx; -diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb -index 7b1722e..67bbee0 100644 ---- a/test/openssl/test_asn1.rb -+++ b/test/openssl/test_asn1.rb -@@ -451,7 +451,8 @@ def test_basic_asn1data +diff --git ruby/test/openssl/test_asn1.rb ruby/test/openssl/test_asn1.rb +index 7b1722e..e09d680 100644 +--- ruby/test/openssl/test_asn1.rb ++++ ruby/test/openssl/test_asn1.rb +@@ -451,7 +451,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase encode_decode_test B(%w{ 81 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :CONTEXT_SPECIFIC) encode_decode_test B(%w{ C1 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :PRIVATE) encode_decode_test B(%w{ 1F 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 32, :UNIVERSAL) - encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) -+ # AWS-LC does not support indefinite lengths with the UNIVERSAL tag. -+ encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) if !aws_lc? ++ encode_decode_test B(%w{ 9F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :CONTEXT_SPECIFIC) encode_decode_test B(%w{ 41 02 AB CD }), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :APPLICATION) encode_decode_test B(%w{ 41 81 80 } + %w{ AB CD } * 64), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 64), 1, :APPLICATION) encode_decode_test B(%w{ 41 82 01 00 } + %w{ AB CD } * 128), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 128), 1, :APPLICATION) -diff --git a/test/openssl/test_bn.rb b/test/openssl/test_bn.rb -index ea88ff0..1eb58e5 100644 ---- a/test/openssl/test_bn.rb -+++ b/test/openssl/test_bn.rb -@@ -321,6 +321,8 @@ def test_argument_error +diff --git ruby/test/openssl/test_bn.rb ruby/test/openssl/test_bn.rb +index 77af140..d2007f4 100644 +--- ruby/test/openssl/test_bn.rb ++++ ruby/test/openssl/test_bn.rb +@@ -319,6 +319,8 @@ class OpenSSL::TestBN < OpenSSL::TestCase end def test_get_flags_and_set_flags @@ -121,11 +130,22 @@ index ea88ff0..1eb58e5 100644 e = OpenSSL::BN.new(999) assert_equal(0, e.get_flags(OpenSSL::BN::CONSTTIME)) -diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb -index 6dbb9c6..1d544d4 100644 ---- a/test/openssl/test_config.rb -+++ b/test/openssl/test_config.rb -@@ -42,6 +42,9 @@ def test_s_parse +@@ -362,7 +364,9 @@ class OpenSSL::TestBN < OpenSSL::TestCase + assert_equal(true, Ractor.new(@e2) { _1.negative? }.take) + assert_include(128..255, Ractor.new { OpenSSL::BN.rand(8)}.take) + assert_include(0...2**32, Ractor.new { OpenSSL::BN.generate_prime(32) }.take) +- assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ if !aws_lc? # AWS-LC does not support BN::CONSTTIME. ++ assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ end + end + end + end +diff --git ruby/test/openssl/test_config.rb ruby/test/openssl/test_config.rb +index 24a215a..7139e30 100644 +--- ruby/test/openssl/test_config.rb ++++ ruby/test/openssl/test_config.rb +@@ -42,6 +42,9 @@ __EOD__ end def test_s_parse_format @@ -135,12 +155,16 @@ index 6dbb9c6..1d544d4 100644 c = OpenSSL::Config.parse(<<__EOC__) baz =qx\t # "baz = qx" -@@ -212,12 +215,12 @@ def test_get_value +@@ -215,13 +218,15 @@ __EOC__ + assert_raise(TypeError) do @it.get_value(nil, 'HOME') # not allowed unlike Config#value end - # fallback to 'default' ugly... +- # fallback to 'default' ugly... - assert_equal('.', @it.get_value('unknown', 'HOME')) -+ assert_equal('.', @it.get_value('unknown', 'HOME')) if !aws_lc? # AWS-LC does not support the fallback ++ unless aws_lc? # AWS-LC does not support the fallback ++ # fallback to 'default' ugly... ++ assert_equal('.', @it.get_value('unknown', 'HOME')) ++ end end def test_get_value_ENV @@ -151,32 +175,10 @@ index 6dbb9c6..1d544d4 100644 key = ENV.keys.first assert_not_nil(key) # make sure we have at least one ENV var. -diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb -index 4a3dd43..8d8737b 100644 ---- a/test/openssl/test_fips.rb -+++ b/test/openssl/test_fips.rb -@@ -5,9 +5,7 @@ - - class OpenSSL::TestFIPS < OpenSSL::TestCase - def test_fips_mode_get_is_true_on_fips_mode_enabled -- unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] -- omit "Only for FIPS mode environment" -- end -+ omit_on_non_fips - - assert_separately(["-ropenssl"], <<~"end;") - assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled" -@@ -15,9 +13,7 @@ def test_fips_mode_get_is_true_on_fips_mode_enabled - end - - def test_fips_mode_get_is_false_on_fips_mode_disabled -- if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] -- omit "Only for non-FIPS mode environment" -- end -+ omit_on_fips - - assert_separately(["-ropenssl"], <<~"end;") - message = ".fips_mode should return false on FIPS mode disabled. " \ +diff --git ruby/test/openssl/test_fips.rb ruby/test/openssl/test_fips.rb +index 8cd474f..d811590 100644 +--- ruby/test/openssl/test_fips.rb ++++ ruby/test/openssl/test_fips.rb @@ -28,6 +24,8 @@ def test_fips_mode_get_is_false_on_fips_mode_disabled end @@ -195,11 +197,11 @@ index 4a3dd43..8d8737b 100644 assert_separately(["-ropenssl"], <<~"end;") begin -diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb -index e6b91b5..8a87776 100644 ---- a/test/openssl/test_pkcs12.rb -+++ b/test/openssl/test_pkcs12.rb -@@ -159,7 +159,6 @@ def test_create_with_mac_itr +diff --git ruby/test/openssl/test_pkcs12.rb ruby/test/openssl/test_pkcs12.rb +index ec67674..be21f47 100644 +--- ruby/test/openssl/test_pkcs12.rb ++++ ruby/test/openssl/test_pkcs12.rb +@@ -159,7 +159,6 @@ module OpenSSL DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, nil, @@ -207,11 +209,11 @@ index e6b91b5..8a87776 100644 2048 ) -diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb -index ba8b93d..7a23104 100644 ---- a/test/openssl/test_pkcs7.rb -+++ b/test/openssl/test_pkcs7.rb -@@ -191,6 +191,8 @@ def test_set_type_encrypted +diff --git ruby/test/openssl/test_pkcs7.rb ruby/test/openssl/test_pkcs7.rb +index ba8b93d..358d61b 100644 +--- ruby/test/openssl/test_pkcs7.rb ++++ ruby/test/openssl/test_pkcs7.rb +@@ -191,6 +191,8 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase end def test_smime @@ -220,63 +222,28 @@ index ba8b93d..7a23104 100644 store = OpenSSL::X509::Store.new store.add_cert(@ca_cert) ca_certs = [@ca_cert] -@@ -315,12 +317,42 @@ def test_split_content - AwlEke0Uze1367QKgxM0nc3SZDlptY7zPIJC5saWXb8Rt2bw2JxEBOTavrp+ZwJ8 - tcH961onq8Tme2ICaCzk - -----END PKCS7----- -+END -+ # NOTE: below PEM differs very slightly from upstream ruby -+ # in that it encodes the inner EncryptedContent in -+ # definite-length DER OCTET_STRING whereas upstream (i.e. -+ # OpenSSL) encodes EncryptedContent as indefinite-length -+ # BER OCTET_STRING. The discrepancy is due to AWS-LC's lack -+ # of support for indefinite OCTET_STRINGS. -+ pki_message_content_pem_awslc = < ctx { ctx.ssl_version = :TLSv1_2 @@ -502,7 +464,7 @@ index 07dc9a3..eb3458a 100644 server_connect(port, ctx) } } -@@ -1530,20 +1533,22 @@ def test_get_ephemeral_key +@@ -1494,20 +1496,22 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end @@ -519,17 +481,17 @@ index 07dc9a3..eb3458a 100644 - ctx.ciphers = "EDH" - server_connect(port, ctx) { |ssl| - assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key -+ if !aws_lc? ++ if !aws_lc? # AWS-LC does not support DHE ciphersuites. + # DHE -+ # TODO: How to test this with TLS 1.3? ++ # TODO: SSL_CTX_set1_groups() is required for testing this with TLS 1.3 + ctx_proc2 = proc { |ctx| -+ ctx.ssl_version = :TLSv1_2 ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION + ctx.ciphers = "EDH" + ctx.tmp_dh = Fixtures.pkey("dh-1") } + start_server(ctx_proc: ctx_proc2) do |port| + ctx = OpenSSL::SSL::SSLContext.new -+ ctx.ssl_version = :TLSv1_2 ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION + ctx.ciphers = "EDH" + server_connect(port, ctx) { |ssl| + assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key @@ -538,9 +500,11 @@ index 07dc9a3..eb3458a 100644 end # ECDHE -@@ -1608,11 +1613,11 @@ def test_fallback_scsv +@@ -1571,12 +1575,13 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ctx2.enable_fallback_scsv ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ++ # AWS-LC has slightly different error messages in all-caps. t = Thread.new { - assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { + assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { @@ -552,17 +516,20 @@ index 07dc9a3..eb3458a 100644 s1.accept } t.join -@@ -1623,6 +1628,8 @@ def test_fallback_scsv +@@ -1587,6 +1592,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_tmp_dh_callback -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + dh = Fixtures.pkey("dh-1") called = false ctx_proc = -> ctx { -@@ -1690,7 +1697,7 @@ def test_ciphersuites_method_bogus_csuite +@@ -1652,9 +1659,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ssl_ctx = OpenSSL::SSL::SSLContext.new + pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=) ++ # AWS-LC has slightly different error messages in all-caps. assert_raise_with_message( OpenSSL::SSL::SSLError, - /SSL_CTX_set_ciphersuites: no cipher match/i @@ -570,8 +537,11 @@ index 07dc9a3..eb3458a 100644 ) { ssl_ctx.ciphersuites = 'BOGUS' } end -@@ -1734,11 +1741,13 @@ def test_ciphers_method_bogus_csuite +@@ -1696,13 +1704,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + + ssl_ctx = OpenSSL::SSL::SSLContext.new ++ # AWS-LC has slightly different error messages in all-caps. assert_raise_with_message( OpenSSL::SSL::SSLError, - /SSL_CTX_set_cipher_list: no cipher match/i @@ -580,25 +550,25 @@ index 07dc9a3..eb3458a 100644 end def test_connect_works_when_setting_dh_callback_to_nil -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + ctx_proc = -> ctx { ctx.max_version = :TLS1_2 ctx.ciphers = "DH:!NULL" # use DH -@@ -1754,6 +1763,8 @@ def test_connect_works_when_setting_dh_callback_to_nil +@@ -1718,6 +1729,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_tmp_dh -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + dh = Fixtures.pkey("dh-1") ctx_proc = -> ctx { ctx.max_version = :TLS1_2 -diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb -index 89cf672..846cfe2 100644 ---- a/test/openssl/test_ssl_session.rb -+++ b/test/openssl/test_ssl_session.rb -@@ -28,9 +28,10 @@ def test_session +diff --git ruby/test/openssl/test_ssl_session.rb ruby/test/openssl/test_ssl_session.rb +index b243201..0059fb0 100644 +--- ruby/test/openssl/test_ssl_session.rb ++++ ruby/test/openssl/test_ssl_session.rb +@@ -28,9 +28,10 @@ class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase end end @@ -610,7 +580,7 @@ index 89cf672..846cfe2 100644 MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5 -@@ -54,9 +55,10 @@ def test_session +@@ -54,9 +55,10 @@ j+RBGfCFrrQbBdnkFI/ztgM= -----END SSL SESSION PARAMETERS----- __EOS__ @@ -622,7 +592,7 @@ index 89cf672..846cfe2 100644 lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53 hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi -@@ -120,7 +122,8 @@ def test_resumption +@@ -120,7 +122,8 @@ __EOS__ ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET # Disable server-side session cache which is enabled by default ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF @@ -632,26 +602,35 @@ index 89cf672..846cfe2 100644 } start_server(ctx_proc: ctx_proc) do |port| sess1 = server_connect_with_session(port, nil, nil) { |ssl| -@@ -238,10 +241,12 @@ def test_ctx_client_session_cb +@@ -238,14 +241,18 @@ __EOS__ end server_connect_with_session(port, ctx, nil) { |ssl| - assert_equal(1, ctx.session_cache_stats[:cache_num]) -+ # AWS-LC doesn't support internal session caching on the client, but -+ # the callback is still enabled as expected. -+ assert_equal(1, ctx.session_cache_stats[:cache_num]) if !aws_lc? assert_equal(1, ctx.session_cache_stats[:connect_good]) assert_equal([ssl, ssl.session], called[:new]) - assert(ctx.session_remove(ssl.session)) -+ assert(ctx.session_remove(ssl.session)) if !aws_lc? - assert(!ctx.session_remove(ssl.session)) - if TEST_SESSION_REMOVE_CB - assert_equal([ctx, ssl.session], called[:remove]) -diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb +- assert(!ctx.session_remove(ssl.session)) +- if TEST_SESSION_REMOVE_CB +- assert_equal([ctx, ssl.session], called[:remove]) ++ # AWS-LC doesn't support internal session caching on the client, but ++ # the callback is still enabled as expected. ++ unless aws_lc? ++ assert_equal(1, ctx.session_cache_stats[:cache_num]) ++ assert_equal(true, ctx.session_remove(ssl.session)) ++ if TEST_SESSION_REMOVE_CB ++ assert_equal([ctx, ssl.session], called[:remove]) ++ end + end ++ assert_equal(false, ctx.session_remove(ssl.session)) + } + end + end +diff --git ruby/test/openssl/test_x509store.rb ruby/test/openssl/test_x509store.rb index d6c0e70..dad4036 100644 ---- a/test/openssl/test_x509store.rb -+++ b/test/openssl/test_x509store.rb -@@ -331,7 +331,7 @@ def test_verify_with_crl +--- ruby/test/openssl/test_x509store.rb ++++ ruby/test/openssl/test_x509store.rb +@@ -331,7 +331,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase def test_add_cert_duplicate # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error # if the given certificate is already in the X509_STORE @@ -660,29 +639,42 @@ index d6c0e70..dad4036 100644 ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") ca1_key = Fixtures.pkey("rsa-1") ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil) -diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb -index f6c84ee..a3c5ee0 100644 ---- a/test/openssl/utils.rb -+++ b/test/openssl/utils.rb -@@ -107,7 +107,7 @@ def get_subject_key_id(cert, hex: true) +diff --git ruby/test/openssl/utils.rb ruby/test/openssl/utils.rb +index 4ebcb98..18bb0c3 100644 +--- ruby/test/openssl/utils.rb ++++ ruby/test/openssl/utils.rb +@@ -132,7 +128,7 @@ module OpenSSL::TestUtils end - def openssl?(major = nil, minor = nil, fix = nil, patch = 0, status = 0) + def openssl?(major = nil, minor = nil, fix = nil, patch = 0) - return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") + return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") || OpenSSL::OPENSSL_VERSION.include?("AWS-LC") return true unless major OpenSSL::OPENSSL_VERSION_NUMBER >= - major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 + -@@ -119,6 +119,12 @@ def libressl?(major = nil, minor = nil, fix = nil) + major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 +@@ -143,6 +139,10 @@ module OpenSSL::TestUtils return false unless version !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 end + -+ def aws_lc?(major = nil, minor = nil, fix = nil) -+ version = OpenSSL::OPENSSL_VERSION.scan(/AWS-LC (\d+)\.(\d+)\.(\d+).*/)[0] -+ return false unless version -+ !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 ++ def aws_lc? ++ OpenSSL::OPENSSL_VERSION.include?("AWS-LC") + end end class OpenSSL::TestCase < Test::Unit::TestCase +@@ -298,6 +298,14 @@ class OpenSSL::PKeyTestCase < OpenSSL::TestCase + assert_equal base.send(comp), test.send(comp) + } + end ++ ++ def assert_sign_verify_false_or_error ++ ret = yield ++ rescue => e ++ assert_kind_of(OpenSSL::PKey::PKeyError, e) ++ else ++ assert_equal(false, ret) ++ end + end + + module OpenSSL::Certs diff --git a/tests/ci/integration/ruby_patch/ruby_3_4/aws-lc-ruby.patch b/tests/ci/integration/ruby_patch/ruby_3_4/aws-lc-ruby.patch new file mode 100644 index 0000000000..76879eb874 --- /dev/null +++ b/tests/ci/integration/ruby_patch/ruby_3_4/aws-lc-ruby.patch @@ -0,0 +1,734 @@ +diff --git ruby/ext/openssl/ossl.c ruby/ext/openssl/ossl.c +index 1eb0f95..2b0a39a 100644 +--- ruby/ext/openssl/ossl.c ++++ ruby/ext/openssl/ossl.c +@@ -411,7 +411,7 @@ ossl_fips_mode_get(VALUE self) + VALUE enabled; + enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse; + return enabled; +-#elif defined(OPENSSL_FIPS) ++#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) + VALUE enabled; + enabled = FIPS_mode() ? Qtrue : Qfalse; + return enabled; +@@ -446,7 +446,7 @@ ossl_fips_mode_set(VALUE self, VALUE enabled) + } + } + return enabled; +-#elif defined(OPENSSL_FIPS) ++#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) + if (RTEST(enabled)) { + int mode = FIPS_mode(); + if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ +@@ -1113,6 +1113,8 @@ Init_openssl(void) + Qtrue + #elif defined(OPENSSL_FIPS) + Qtrue ++#elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time. ++ FIPS_mode() ? Qtrue : Qfalse + #else + Qfalse + #endif +diff --git ruby/ext/openssl/ossl_pkcs12.c ruby/ext/openssl/ossl_pkcs12.c +index bda90ae..5042b2d 100644 +--- ruby/ext/openssl/ossl_pkcs12.c ++++ ruby/ext/openssl/ossl_pkcs12.c +@@ -134,9 +134,15 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self) + if (!NIL_P(keytype)) + ktype = NUM2INT(keytype); + ++#if defined(OPENSSL_IS_AWSLC) ++ if (ktype != 0) { ++ ossl_raise(rb_eArgError, "Unknown key usage type %"PRIsVALUE, INT2NUM(ktype)); ++ } ++#else + if (ktype != 0 && ktype != KEY_SIG && ktype != KEY_EX) { + ossl_raise(rb_eArgError, "Unknown key usage type %"PRIsVALUE, INT2NUM(ktype)); + } ++#endif + + obj = NewPKCS12(cPKCS12); + x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca); +@@ -320,7 +326,9 @@ Init_ossl_pkcs12(void) + rb_define_method(cPKCS12, "to_der", ossl_pkcs12_to_der, 0); + rb_define_method(cPKCS12, "set_mac", pkcs12_set_mac, -1); + ++#if !defined(OPENSSL_IS_AWSLC) + /* MSIE specific PKCS12 key usage extensions */ + rb_define_const(cPKCS12, "KEY_EX", INT2NUM(KEY_EX)); + rb_define_const(cPKCS12, "KEY_SIG", INT2NUM(KEY_SIG)); ++#endif + } +diff --git ruby/ext/openssl/ossl_pkey_ec.c ruby/ext/openssl/ossl_pkey_ec.c +index 9852be6..f970b06 100644 +--- ruby/ext/openssl/ossl_pkey_ec.c ++++ ruby/ext/openssl/ossl_pkey_ec.c +@@ -657,8 +657,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) + ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ + if (nid == NID_undef) + ossl_raise(eEC_GROUP, "unknown curve name (%"PRIsVALUE")", arg1); +- ++#if !defined(OPENSSL_IS_AWSLC) + group = EC_GROUP_new_by_curve_name(nid); ++#else /* EC_GROUPs are static and immutable by default in AWS-LC. */ ++ group = EC_GROUP_new_by_curve_name_mutable(nid); ++#endif + if (group == NULL) + ossl_raise(eEC_GROUP, "unable to create curve (%"PRIsVALUE")", arg1); + +@@ -1367,7 +1370,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self) + GetECPointGroup(self, group); + + rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated"); +-#if !OSSL_OPENSSL_PREREQ(3, 0, 0) ++#if !OSSL_OPENSSL_PREREQ(3, 0, 0) && !defined(OPENSSL_IS_AWSLC) + if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1) + ossl_raise(eEC_POINT, "EC_POINT_make_affine"); + #endif +@@ -1516,7 +1519,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) + if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) + ossl_raise(eEC_POINT, NULL); + } else { +-#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) ++#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC) + rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ + "supported by this OpenSSL version"); + #else +diff --git ruby/ext/openssl/ossl_ssl.c ruby/ext/openssl/ossl_ssl.c +index 2525d0c..4a17bbc 100644 +--- ruby/ext/openssl/ossl_ssl.c ++++ ruby/ext/openssl/ossl_ssl.c +@@ -823,7 +823,9 @@ ossl_sslctx_setup(VALUE self) + #endif + + #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH ++#if !defined(OPENSSL_IS_AWSLC) /* AWS-LC has no support for TLS 1.3 PHA. */ + SSL_CTX_set_post_handshake_auth(ctx, 1); ++#endif + #endif + + val = rb_attr_get(self, id_i_cert_store); +@@ -1243,7 +1245,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) + rb_check_frozen(self); + GetSSLCTX(self, ctx); + +-#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) ++#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) && !defined(OPENSSL_IS_AWSLC) + SSL_CTX_set_security_level(ctx, NUM2INT(value)); + #else + (void)ctx; +diff --git ruby/test/openssl/test_asn1.rb ruby/test/openssl/test_asn1.rb +index 354b587..869ecc0 100644 +--- ruby/test/openssl/test_asn1.rb ++++ ruby/test/openssl/test_asn1.rb +@@ -458,7 +458,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase + encode_decode_test B(%w{ 81 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :CONTEXT_SPECIFIC) + encode_decode_test B(%w{ C1 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :PRIVATE) + encode_decode_test B(%w{ 1F 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 32, :UNIVERSAL) +- encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) ++ encode_decode_test B(%w{ 9F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :CONTEXT_SPECIFIC) + encode_decode_test B(%w{ 41 02 AB CD }), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :APPLICATION) + encode_decode_test B(%w{ 41 81 80 } + %w{ AB CD } * 64), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 64), 1, :APPLICATION) + encode_decode_test B(%w{ 41 82 01 00 } + %w{ AB CD } * 128), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 128), 1, :APPLICATION) +diff --git ruby/test/openssl/test_bn.rb ruby/test/openssl/test_bn.rb +index 1217f25..5b68544 100644 +--- ruby/test/openssl/test_bn.rb ++++ ruby/test/openssl/test_bn.rb +@@ -321,6 +321,8 @@ class OpenSSL::TestBN < OpenSSL::TestCase + end + + def test_get_flags_and_set_flags ++ return if aws_lc? # AWS-LC does not support BN::CONSTTIME. ++ + e = OpenSSL::BN.new(999) + + assert_equal(0, e.get_flags(OpenSSL::BN::CONSTTIME)) +@@ -364,7 +366,9 @@ class OpenSSL::TestBN < OpenSSL::TestCase + assert_equal(true, Ractor.new(@e2) { _1.negative? }.take) + assert_include(128..255, Ractor.new { OpenSSL::BN.rand(8)}.take) + assert_include(0...2**32, Ractor.new { OpenSSL::BN.generate_prime(32) }.take) +- assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ if !aws_lc? # AWS-LC does not support BN::CONSTTIME. ++ assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ end + # test if shareable when frozen + assert Ractor.shareable?(@e1.freeze) + end +diff --git ruby/test/openssl/test_config.rb ruby/test/openssl/test_config.rb +index 759a5bb..c10a855 100644 +--- ruby/test/openssl/test_config.rb ++++ ruby/test/openssl/test_config.rb +@@ -43,6 +43,9 @@ __EOD__ + end + + def test_s_parse_format ++ # AWS-LC removed support for parsing $foo variables. ++ return if aws_lc? ++ + c = OpenSSL::Config.parse(<<__EOC__) + baz =qx\t # "baz = qx" + +@@ -213,13 +216,15 @@ __EOC__ + assert_raise(TypeError) do + @it.get_value(nil, 'HOME') # not allowed unlike Config#value + end +- # fallback to 'default' ugly... +- assert_equal('.', @it.get_value('unknown', 'HOME')) ++ unless aws_lc? # AWS-LC does not support the fallback ++ # fallback to 'default' ugly... ++ assert_equal('.', @it.get_value('unknown', 'HOME')) ++ end + end + + def test_get_value_ENV +- # LibreSSL removed support for NCONF_get_string(conf, "ENV", str) +- return if libressl? ++ # LibreSSL and AWS-LC removed support for NCONF_get_string(conf, "ENV", str) ++ return if libressl? || aws_lc? + + key = ENV.keys.first + assert_not_nil(key) # make sure we have at least one ENV var. +diff --git ruby/test/openssl/test_fips.rb ruby/test/openssl/test_fips.rb +index 4a3dd43..8a33cec 100644 +--- ruby/test/openssl/test_fips.rb ++++ ruby/test/openssl/test_fips.rb +@@ -28,6 +28,8 @@ class OpenSSL::TestFIPS < OpenSSL::TestCase + end + + def test_fips_mode_is_reentrant ++ return if aws_lc? # AWS-LC's FIPS mode is decided at compile time. ++ + assert_separately(["-ropenssl"], <<~"end;") + OpenSSL.fips_mode = false + OpenSSL.fips_mode = false +@@ -35,7 +37,7 @@ class OpenSSL::TestFIPS < OpenSSL::TestCase + end + + def test_fips_mode_get_with_fips_mode_set +- omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS ++ omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS and !aws_lc? # AWS-LC's FIPS mode is decided at compile time. + + assert_separately(["-ropenssl"], <<~"end;") + begin +diff --git ruby/test/openssl/test_pkcs12.rb ruby/test/openssl/test_pkcs12.rb +index 68a23b2..1b53287 100644 +--- ruby/test/openssl/test_pkcs12.rb ++++ ruby/test/openssl/test_pkcs12.rb +@@ -178,6 +178,8 @@ module OpenSSL + end + + def test_create_with_keytype ++ omit "AWS-LC does not support KEY_SIG and KEY_EX" if aws_lc? ++ + OpenSSL::PKCS12.create( + "omg", + "hello", +diff --git ruby/test/openssl/test_pkcs7.rb ruby/test/openssl/test_pkcs7.rb +index 862716b..dc209f9 100644 +--- ruby/test/openssl/test_pkcs7.rb ++++ ruby/test/openssl/test_pkcs7.rb +@@ -211,6 +211,8 @@ END + end + + def test_smime ++ pend "AWS-LC has no current support for SMIME with PKCS7" if aws_lc? ++ + store = OpenSSL::X509::Store.new + store.add_cert(@ca_cert) + ca_certs = [@ca_cert] +@@ -233,6 +235,8 @@ END + end + + def test_to_text ++ omit "AWS-LC does not support PKCS7.to_text" if aws_lc? ++ + p7 = OpenSSL::PKCS7.new + p7.type = "signed" + assert_match(/signed/, p7.to_text) +@@ -276,6 +280,8 @@ END + end + + def test_split_content ++ pend "AWS-LC ASN.1 parsers has no current support for parsing indefinite BER constructed strings" if aws_lc? ++ + pki_message_pem = < ctx { + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "aNULL" +@@ -1167,7 +1169,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ctx.set_params + # OpenSSL <= 1.1.0: "self signed certificate in certificate chain" + # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain" +- assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) { ++ # AWS-LC: "CERTIFICATE_VERIFY_FAILED (unable to get local issuer certificate)" ++ assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed|CERTIFICATE_VERIFY_FAILED/) { + server_connect(port, ctx) + } + } +@@ -1615,20 +1618,22 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + end + end + +- # DHE +- # TODO: How to test this with TLS 1.3? +- ctx_proc2 = proc { |ctx| +- ctx.ssl_version = :TLSv1_2 +- ctx.ciphers = "EDH" +- ctx.tmp_dh = Fixtures.pkey("dh-1") +- } +- start_server(ctx_proc: ctx_proc2) do |port| +- ctx = OpenSSL::SSL::SSLContext.new +- ctx.ssl_version = :TLSv1_2 +- ctx.ciphers = "EDH" +- server_connect(port, ctx) { |ssl| +- assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key ++ if !aws_lc? # AWS-LC does not support DHE ciphersuites. ++ # DHE ++ # TODO: SSL_CTX_set1_groups() is required for testing this with TLS 1.3 ++ ctx_proc2 = proc { |ctx| ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION ++ ctx.ciphers = "EDH" ++ ctx.tmp_dh = Fixtures.pkey("dh-1") + } ++ start_server(ctx_proc: ctx_proc2) do |port| ++ ctx = OpenSSL::SSL::SSLContext.new ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION ++ ctx.ciphers = "EDH" ++ server_connect(port, ctx) { |ssl| ++ assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key ++ } ++ end + end + + # ECDHE +@@ -1692,12 +1697,13 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ctx2.enable_fallback_scsv + ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ++ # AWS-LC has slightly different error messages in all-caps. + t = Thread.new { +- assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { ++ assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { + s2.connect + } + } +- assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { ++ assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { + s1.accept + } + t.join +@@ -1708,6 +1714,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + end + + def test_tmp_dh_callback ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + dh = Fixtures.pkey("dh-1") + called = false + ctx_proc = -> ctx { +@@ -1773,9 +1781,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ssl_ctx = OpenSSL::SSL::SSLContext.new + pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=) + ++ # AWS-LC has slightly different error messages in all-caps. + assert_raise_with_message( + OpenSSL::SSL::SSLError, +- /SSL_CTX_set_ciphersuites: no cipher match/i ++ /SSL_CTX_set_ciphersuites: (no cipher match|NO_CIPHER_MATCH)/i + ) { ssl_ctx.ciphersuites = 'BOGUS' } + end + +@@ -1817,13 +1826,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + + ssl_ctx = OpenSSL::SSL::SSLContext.new + ++ # AWS-LC has slightly different error messages in all-caps. + assert_raise_with_message( + OpenSSL::SSL::SSLError, +- /SSL_CTX_set_cipher_list: no cipher match/i ++ /SSL_CTX_set_cipher_list: (no cipher match|NO_CIPHER_MATCH)/i + ) { ssl_ctx.ciphers = 'BOGUS' } + end + + def test_connect_works_when_setting_dh_callback_to_nil ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + ctx_proc = -> ctx { + ctx.max_version = :TLS1_2 + ctx.ciphers = "DH:!NULL" # use DH +@@ -1839,6 +1851,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + end + + def test_tmp_dh ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + dh = Fixtures.pkey("dh-1") + ctx_proc = -> ctx { + ctx.max_version = :TLS1_2 +diff --git ruby/test/openssl/test_ssl_session.rb ruby/test/openssl/test_ssl_session.rb +index 25ba6a8..faed251 100644 +--- ruby/test/openssl/test_ssl_session.rb ++++ ruby/test/openssl/test_ssl_session.rb +@@ -28,9 +28,10 @@ class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase + end + end + ++ # PEM file updated to use TLS 1.2 with ECDHE-RSA-AES256-SHA. + DUMMY_SESSION = <<__EOS__ + -----BEGIN SSL SESSION PARAMETERS----- +-MIIDzQIBAQICAwEEAgA5BCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad ++MIIDzQIBAQICAwMEAsAUBCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad + MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy + NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB + BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5 +@@ -54,9 +55,10 @@ j+RBGfCFrrQbBdnkFI/ztgM= + -----END SSL SESSION PARAMETERS----- + __EOS__ + ++ # PEM file updated to use TLS 1.1 with ECDHE-RSA-AES256-SHA. + DUMMY_SESSION_NO_EXT = <<-__EOS__ + -----BEGIN SSL SESSION PARAMETERS----- +-MIIDCAIBAQICAwAEAgA5BCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+ ++MIIDCAIBAQICAwIEAsAUBCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+ + lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53 + hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B + AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi +@@ -120,7 +122,8 @@ __EOS__ + ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET + # Disable server-side session cache which is enabled by default + ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF +- ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) ++ # Session tickets must be retrieved via ctx.session_new_cb in TLS 1.3 in AWS-LC. ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) || aws_lc? + } + start_server(ctx_proc: ctx_proc) do |port| + sess1 = server_connect_with_session(port, nil, nil) { |ssl| +@@ -237,14 +240,18 @@ __EOS__ + end + + server_connect_with_session(port, ctx, nil) { |ssl| +- assert_equal(1, ctx.session_cache_stats[:cache_num]) + assert_equal(1, ctx.session_cache_stats[:connect_good]) + assert_equal([ssl, ssl.session], called[:new]) +- assert_equal(true, ctx.session_remove(ssl.session)) +- assert_equal(false, ctx.session_remove(ssl.session)) +- if TEST_SESSION_REMOVE_CB +- assert_equal([ctx, ssl.session], called[:remove]) ++ # AWS-LC doesn't support internal session caching on the client, but ++ # the callback is still enabled as expected. ++ unless aws_lc? ++ assert_equal(1, ctx.session_cache_stats[:cache_num]) ++ assert_equal(true, ctx.session_remove(ssl.session)) ++ if TEST_SESSION_REMOVE_CB ++ assert_equal([ctx, ssl.session], called[:remove]) ++ end + end ++ assert_equal(false, ctx.session_remove(ssl.session)) + } + end + end +@@ -252,6 +259,7 @@ __EOS__ + def test_ctx_client_session_cb_tls13 + omit "TLS 1.3 not supported" unless tls13_supported? + omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl? ++ omit "AWS-LC does not support internal session caching on the client" if aws_lc? + + start_server do |port| + called = {} +diff --git ruby/test/openssl/test_x509store.rb ruby/test/openssl/test_x509store.rb +index d6c0e70..dad4036 100644 +--- ruby/test/openssl/test_x509store.rb ++++ ruby/test/openssl/test_x509store.rb +@@ -331,7 +331,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase + def test_add_cert_duplicate + # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error + # if the given certificate is already in the X509_STORE +- return if openssl?(1, 1, 0) || libressl? ++ return if openssl?(1, 1, 0) || libressl? || aws_lc? + ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") + ca1_key = Fixtures.pkey("rsa-1") + ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil) +diff --git ruby/test/openssl/utils.rb ruby/test/openssl/utils.rb +index f6c84ee..c2b9195 100644 +--- ruby/test/openssl/utils.rb ++++ ruby/test/openssl/utils.rb +@@ -107,7 +107,7 @@ module OpenSSL::TestUtils + end + + def openssl?(major = nil, minor = nil, fix = nil, patch = 0, status = 0) +- return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") ++ return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") || OpenSSL::OPENSSL_VERSION.include?("AWS-LC") + return true unless major + OpenSSL::OPENSSL_VERSION_NUMBER >= + major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 + +@@ -119,6 +119,10 @@ module OpenSSL::TestUtils + return false unless version + !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 + end ++ ++ def aws_lc? ++ OpenSSL::OPENSSL_VERSION.include?("AWS-LC") ++ end + end + + class OpenSSL::TestCase < Test::Unit::TestCase +@@ -299,6 +303,14 @@ class OpenSSL::PKeyTestCase < OpenSSL::TestCase + assert_equal base.send(comp), test.send(comp) + } + end ++ ++ def assert_sign_verify_false_or_error ++ ret = yield ++ rescue => e ++ assert_kind_of(OpenSSL::PKey::PKeyError, e) ++ else ++ assert_equal(false, ret) ++ end + end + + module OpenSSL::Certs diff --git a/tests/ci/integration/run_ruby_integration.sh b/tests/ci/integration/run_ruby_integration.sh index 18394aceb7..99d0d15883 100755 --- a/tests/ci/integration/run_ruby_integration.sh +++ b/tests/ci/integration/run_ruby_integration.sh @@ -51,7 +51,7 @@ function ruby_build() { make test-all TESTS="test/rubygems/test*.rb" # drb was moved from a default gem to a bundled gem in later versions of Ruby. - if [[ "${branch}" != "master" ]]; then + if [[ "${branch}" != "master" && "${branch}" != "ruby_3_4" ]]; then make test-all TESTS="test/drb/*ssl*.rb" fi @@ -70,15 +70,15 @@ function ruby_patch() { --depth 1 \ --branch ${branch} - # Add directory of backport patches if branch is not master. - if [[ "${branch}" != "master" ]]; then + # Add directory of backport patches if branch is a version later than Ruby 3.4. + if [[ "${branch}" != "master" && "${branch}" != "ruby_3_4" ]]; then patch_dirs+=("${RUBY_BACKPORT_FOLDER}") fi for patch_dir in "${patch_dirs[@]}"; do for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do echo "Apply patch ${patchfile}..." - cat ${patchfile} | patch -p1 -F 3 --quiet -d ${src_dir} + patch --strip 1 -F 3 --quiet -d ${src_dir} --input ${patchfile} done done }