From 8124e0dcd19a8771a4b45fcfa2a9335787c77911 Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Sat, 1 Mar 2025 02:01:19 +0000 Subject: [PATCH 1/5] Update patches in Ruby CI --- .../github_ci_integration_omnibus.yaml | 2 +- .../ruby_3_1/aws-lc-ruby-temp.patch | 618 --------------- .../ruby_3_2/aws-lc-ruby-temp.patch | 431 +++++----- .../ruby_3_3/aws-lc-ruby-temp.patch | 451 ++++++----- .../ruby_patch/ruby_3_4/aws-lc-ruby.patch | 739 ++++++++++++++++++ tests/ci/integration/run_ruby_integration.sh | 2 +- 6 files changed, 1194 insertions(+), 1049 deletions(-) delete mode 100644 tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch create mode 100644 tests/ci/integration/ruby_patch/ruby_3_4/aws-lc-ruby.patch diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml index 05f4501f31..2dd7dd1a07 100644 --- a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml +++ b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml @@ -480,7 +480,7 @@ batch: compute-type: BUILD_GENERAL1_MEDIUM image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_integration_latest variables: - AWS_LC_CI_TARGET: "tests/ci/integration/run_ruby_integration.sh ruby_3_3 ruby_3_2 ruby_3_1" + AWS_LC_CI_TARGET: "tests/ci/integration/run_ruby_integration.sh ruby_3_4 ruby_3_3 ruby_3_2" FIPS: 0 - identifier: ruby_release_fips_1_integration_x86_64 diff --git a/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch deleted file mode 100644 index c661cbeaa0..0000000000 --- a/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch +++ /dev/null @@ -1,618 +0,0 @@ -diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c -index 6c532ac..b4ca18b 100644 ---- a/ext/openssl/ossl.c -+++ b/ext/openssl/ossl.c -@@ -417,8 +417,7 @@ ossl_debug_set(VALUE self, VALUE val) - static VALUE - ossl_fips_mode_get(VALUE self) - { -- --#ifdef OPENSSL_FIPS -+#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) - VALUE enabled; - enabled = FIPS_mode() ? Qtrue : Qfalse; - return enabled; -@@ -443,7 +442,7 @@ static VALUE - ossl_fips_mode_set(VALUE self, VALUE enabled) - { - --#ifdef OPENSSL_FIPS -+#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) - if (RTEST(enabled)) { - int mode = FIPS_mode(); - if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ -@@ -1200,6 +1199,8 @@ Init_openssl(void) - rb_define_const(mOSSL, "OPENSSL_FIPS", - #ifdef OPENSSL_FIPS - Qtrue -+#elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time. -+ FIPS_mode() ? Qtrue : Qfalse - #else - Qfalse - #endif -diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c -index fb947df..969aa25 100644 ---- a/ext/openssl/ossl_pkcs12.c -+++ b/ext/openssl/ossl_pkcs12.c -@@ -134,6 +134,12 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self) - if (!NIL_P(keytype)) - ktype = NUM2INT(keytype); - -+#if defined(OPENSSL_IS_AWSLC) -+ if (ktype != 0) { -+ ossl_raise(rb_eArgError, "Unknown key usage type with AWS-LC %"PRIsVALUE, INT2NUM(ktype)); -+ } -+#endif -+ - obj = NewPKCS12(cPKCS12); - x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca); - p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s, -diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c -index 06d59c2..74f41db 100644 ---- a/ext/openssl/ossl_pkey_ec.c -+++ b/ext/openssl/ossl_pkey_ec.c -@@ -589,8 +589,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) - ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ - if (nid == NID_undef) - ossl_raise(eEC_GROUP, "unknown curve name (%"PRIsVALUE")", arg1); -- -+#if !defined(OPENSSL_IS_AWSLC) - group = EC_GROUP_new_by_curve_name(nid); -+#else -+ group = EC_GROUP_new_by_curve_name_mutable(nid); -+#endif - if (group == NULL) - ossl_raise(eEC_GROUP, "unable to create curve (%"PRIsVALUE")", arg1); - -@@ -1295,7 +1298,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self) - GetECPointGroup(self, group); - - rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated"); --#if !OSSL_OPENSSL_PREREQ(3, 0, 0) -+#if !OSSL_OPENSSL_PREREQ(3, 0, 0) && !defined(OPENSSL_IS_AWSLC) - if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1) - ossl_raise(cEC_POINT, "EC_POINT_make_affine"); - #endif -@@ -1444,7 +1447,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) - if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) - ossl_raise(eEC_POINT, NULL); - } else { --#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) -+#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC) - rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ - "supported by this OpenSSL version"); - #else -diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c -index 9a0682a..c289055 100644 ---- a/ext/openssl/ossl_ssl.c -+++ b/ext/openssl/ossl_ssl.c -@@ -1139,7 +1139,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) - rb_check_frozen(self); - GetSSLCTX(self, ctx); - --#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) -+#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) && !defined(OPENSSL_IS_AWSLC) - SSL_CTX_set_security_level(ctx, NUM2INT(value)); - #else - (void)ctx; -diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb -index 7e5b969..4521e62 100644 ---- a/test/openssl/test_asn1.rb -+++ b/test/openssl/test_asn1.rb -@@ -456,7 +456,8 @@ def test_basic_asn1data - encode_decode_test B(%w{ 81 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :CONTEXT_SPECIFIC) - encode_decode_test B(%w{ C1 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :PRIVATE) - encode_decode_test B(%w{ 1F 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 32, :UNIVERSAL) -- encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) -+ # AWS-LC does not support indefinite lengths with the UNIVERSAL tag. -+ encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) if !aws_lc? - encode_decode_test B(%w{ 41 02 AB CD }), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :APPLICATION) - encode_decode_test B(%w{ 41 81 80 } + %w{ AB CD } * 64), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 64), 1, :APPLICATION) - encode_decode_test B(%w{ 41 82 01 00 } + %w{ AB CD } * 128), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 128), 1, :APPLICATION) -diff --git a/test/openssl/test_bn.rb b/test/openssl/test_bn.rb -index 346602d..e7b30fa 100644 ---- a/test/openssl/test_bn.rb -+++ b/test/openssl/test_bn.rb -@@ -313,6 +313,8 @@ def test_argument_error - end - - def test_get_flags_and_set_flags -+ return if aws_lc? # AWS-LC does not support BN::CONSTTIME. -+ - e = OpenSSL::BN.new(999) - - assert_equal(0, e.get_flags(OpenSSL::BN::CONSTTIME)) -diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb -index 24a215a..8f4eb39 100644 ---- a/test/openssl/test_config.rb -+++ b/test/openssl/test_config.rb -@@ -42,6 +42,9 @@ def test_s_parse - end - - def test_s_parse_format -+ # AWS-LC removed support for parsing $foo variables. -+ return if aws_lc? -+ - c = OpenSSL::Config.parse(<<__EOC__) - baz =qx\t # "baz = qx" - -@@ -216,12 +219,12 @@ def test_get_value - @it.get_value(nil, 'HOME') # not allowed unlike Config#value - end - # fallback to 'default' ugly... -- assert_equal('.', @it.get_value('unknown', 'HOME')) -+ assert_equal('.', @it.get_value('unknown', 'HOME')) if !aws_lc? # AWS-LC does not support the fallback - end - - def test_get_value_ENV -- # LibreSSL removed support for NCONF_get_string(conf, "ENV", str) -- return if libressl? -+ # LibreSSL and AWS-LC removed support for NCONF_get_string(conf, "ENV", str) -+ return if libressl? || aws_lc? - - key = ENV.keys.first - assert_not_nil(key) # make sure we have at least one ENV var. -diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb -index 8cd474f..d811590 100644 ---- a/test/openssl/test_fips.rb -+++ b/test/openssl/test_fips.rb -@@ -5,12 +5,15 @@ - - class OpenSSL::TestFIPS < OpenSSL::TestCase - def test_fips_mode_is_reentrant -+ return if aws_lc? # AWS-LC's FIPS mode is decided at compile time. -+ - OpenSSL.fips_mode = false - OpenSSL.fips_mode = false - end - - def test_fips_mode_get -- return unless OpenSSL::OPENSSL_FIPS -+ return unless OpenSSL::OPENSSL_FIPS and !aws_lc? # AWS-LC's FIPS mode is decided at compile time. -+ - assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") - require #{__FILE__.dump} - -diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb -index ec67674..be21f47 100644 ---- a/test/openssl/test_pkcs12.rb -+++ b/test/openssl/test_pkcs12.rb -@@ -159,7 +159,6 @@ def test_create_with_mac_itr - DEFAULT_PBE_PKEYS, - DEFAULT_PBE_CERTS, - nil, -- nil, - 2048 - ) - -diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb -index ba8b93d..7a23104 100644 ---- a/test/openssl/test_pkcs7.rb -+++ b/test/openssl/test_pkcs7.rb -@@ -191,6 +191,8 @@ def test_set_type_encrypted - end - - def test_smime -+ pend "AWS-LC has no current support for SMIME with PKCS7" if aws_lc? -+ - store = OpenSSL::X509::Store.new - store.add_cert(@ca_cert) - ca_certs = [@ca_cert] -@@ -315,12 +317,42 @@ def test_split_content - AwlEke0Uze1367QKgxM0nc3SZDlptY7zPIJC5saWXb8Rt2bw2JxEBOTavrp+ZwJ8 - tcH961onq8Tme2ICaCzk - -----END PKCS7----- -+END -+ # NOTE: below PEM differs very slightly from upstream ruby -+ # in that it encodes the inner EncryptedContent in -+ # definite-length DER OCTET_STRING whereas upstream (i.e. -+ # OpenSSL) encodes EncryptedContent as indefinite-length -+ # BER OCTET_STRING. The discrepancy is due to AWS-LC's lack -+ # of support for indefinite OCTET_STRINGS. -+ pki_message_content_pem_awslc = < ctx { - ctx.ssl_version = :TLSv1_2 - ctx.ciphers = "aNULL" -@@ -1000,7 +1002,7 @@ def test_connect_certificate_verify_failed_exception_message - ctx.set_params - # OpenSSL <= 1.1.0: "self signed certificate in certificate chain" - # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain" -- assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) { -+ assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed|CERTIFICATE_VERIFY_FAILED/) { - server_connect(port, ctx) - } - } -@@ -1458,20 +1460,22 @@ def test_get_ephemeral_key - end - end - -- # DHE -- # TODO: How to test this with TLS 1.3? -- ctx_proc2 = proc { |ctx| -- ctx.ssl_version = :TLSv1_2 -- ctx.ciphers = "EDH" -- ctx.tmp_dh = Fixtures.pkey("dh-1") -- } -- start_server(ctx_proc: ctx_proc2) do |port| -- ctx = OpenSSL::SSL::SSLContext.new -- ctx.ssl_version = :TLSv1_2 -- ctx.ciphers = "EDH" -- server_connect(port, ctx) { |ssl| -- assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key -+ if !aws_lc? -+ # DHE -+ # TODO: How to test this with TLS 1.3? -+ ctx_proc2 = proc { |ctx| -+ ctx.ssl_version = :TLSv1_2 -+ ctx.ciphers = "EDH" -+ ctx.tmp_dh = Fixtures.pkey("dh-1") - } -+ start_server(ctx_proc: ctx_proc2) do |port| -+ ctx = OpenSSL::SSL::SSLContext.new -+ ctx.ssl_version = :TLSv1_2 -+ ctx.ciphers = "EDH" -+ server_connect(port, ctx) { |ssl| -+ assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key -+ } -+ end - end - - # ECDHE -@@ -1536,11 +1540,11 @@ def test_fallback_scsv - ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION - s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) - t = Thread.new { -- assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { -+ assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { - s2.connect - } - } -- assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { -+ assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { - s1.accept - } - t.join -@@ -1551,6 +1555,8 @@ def test_fallback_scsv - end - - def test_tmp_dh_callback -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? -+ - dh = Fixtures.pkey("dh-1") - called = false - ctx_proc = -> ctx { -@@ -1570,6 +1576,8 @@ def test_tmp_dh_callback - end - - def test_connect_works_when_setting_dh_callback_to_nil -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? -+ - ctx_proc = -> ctx { - ctx.max_version = :TLS1_2 - ctx.ciphers = "DH:!NULL" # use DH -@@ -1585,6 +1593,8 @@ def test_connect_works_when_setting_dh_callback_to_nil - end - - def test_tmp_dh -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? -+ - dh = Fixtures.pkey("dh-1") - ctx_proc = -> ctx { - ctx.max_version = :TLS1_2 -diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb -index b72b10d..0f376e2 100644 ---- a/test/openssl/test_ssl_session.rb -+++ b/test/openssl/test_ssl_session.rb -@@ -28,9 +28,10 @@ def test_session - end - end - -+ # PEM file updated to use TLS 1.2 with ECDHE-RSA-AES256-SHA. - DUMMY_SESSION = <<__EOS__ - -----BEGIN SSL SESSION PARAMETERS----- --MIIDzQIBAQICAwEEAgA5BCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad -+MIIDzQIBAQICAwMEAsAUBCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad - MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy - NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB - BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5 -@@ -54,9 +55,10 @@ def test_session - -----END SSL SESSION PARAMETERS----- - __EOS__ - -+ # PEM file updated to use TLS 1.1 with ECDHE-RSA-AES256-SHA. - DUMMY_SESSION_NO_EXT = <<-__EOS__ - -----BEGIN SSL SESSION PARAMETERS----- --MIIDCAIBAQICAwAEAgA5BCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+ -+MIIDCAIBAQICAwIEAsAUBCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+ - lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53 - hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B - AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi -@@ -120,7 +122,8 @@ def test_resumption - ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET - # Disable server-side session cache which is enabled by default - ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF -- ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) -+ # Session tickets must be retrieved via ctx.session_new_cb in TLS 1.3 in AWS-LC. -+ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) || aws_lc? - } - start_server(ctx_proc: ctx_proc) do |port| - sess1 = server_connect_with_session(port, nil, nil) { |ssl| -@@ -238,10 +241,12 @@ def test_ctx_client_session_cb - end - - server_connect_with_session(port, ctx, nil) { |ssl| -- assert_equal(1, ctx.session_cache_stats[:cache_num]) -+ # AWS-LC doesn't support internal session caching on the client, but -+ # the callback is still enabled as expected. -+ assert_equal(1, ctx.session_cache_stats[:cache_num]) if !aws_lc? - assert_equal(1, ctx.session_cache_stats[:connect_good]) - assert_equal([ssl, ssl.session], called[:new]) -- assert(ctx.session_remove(ssl.session)) -+ assert(ctx.session_remove(ssl.session)) if !aws_lc? - assert(!ctx.session_remove(ssl.session)) - if TEST_SESSION_REMOVE_CB - assert_equal([ctx, ssl.session], called[:remove]) -diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb -index d6c0e70..dad4036 100644 ---- a/test/openssl/test_x509store.rb -+++ b/test/openssl/test_x509store.rb -@@ -331,7 +331,7 @@ def test_verify_with_crl - def test_add_cert_duplicate - # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error - # if the given certificate is already in the X509_STORE -- return if openssl?(1, 1, 0) || libressl? -+ return if openssl?(1, 1, 0) || libressl? || aws_lc? - ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") - ca1_key = Fixtures.pkey("rsa-1") - ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil) -diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb -index 4ebcb98..b958c48 100644 ---- a/test/openssl/utils.rb -+++ b/test/openssl/utils.rb -@@ -2,10 +2,6 @@ - begin - require "openssl" - -- # Disable FIPS mode for tests for installations -- # where FIPS mode would be enabled by default. -- # Has no effect on all other installations. -- OpenSSL.fips_mode=false - rescue LoadError - end - -@@ -132,7 +128,7 @@ def get_subject_key_id(cert, hex: true) - end - - def openssl?(major = nil, minor = nil, fix = nil, patch = 0) -- return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") -+ return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") || OpenSSL::OPENSSL_VERSION.include?("AWS-LC") - return true unless major - OpenSSL::OPENSSL_VERSION_NUMBER >= - major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 -@@ -143,6 +139,12 @@ def libressl?(major = nil, minor = nil, fix = nil) - return false unless version - !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 - end -+ -+ def aws_lc?(major = nil, minor = nil, fix = nil) -+ version = OpenSSL::OPENSSL_VERSION.scan(/AWS-LC (\d+)\.(\d+)\.(\d+).*/)[0] -+ return false unless version -+ !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 -+ end - end - - class OpenSSL::TestCase < Test::Unit::TestCase diff --git a/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch index c535890672..ba808c112f 100644 --- a/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch +++ b/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch @@ -1,39 +1,38 @@ -diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c -index 6c532ac..b4ca18b 100644 ---- a/ext/openssl/ossl.c -+++ b/ext/openssl/ossl.c -@@ -417,8 +417,7 @@ ossl_debug_set(VALUE self, VALUE val) - static VALUE +diff --git ruby/ext/openssl/ossl.c ruby/ext/openssl/ossl.c +index 6c532ac..a53162c 100644 +--- ruby/ext/openssl/ossl.c ++++ ruby/ext/openssl/ossl.c +@@ -418,7 +418,7 @@ static VALUE ossl_fips_mode_get(VALUE self) { -- + -#ifdef OPENSSL_FIPS +#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) VALUE enabled; enabled = FIPS_mode() ? Qtrue : Qfalse; return enabled; -@@ -443,7 +442,7 @@ static VALUE +@@ -443,7 +443,7 @@ static VALUE ossl_fips_mode_set(VALUE self, VALUE enabled) { -#ifdef OPENSSL_FIPS +#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) if (RTEST(enabled)) { - int mode = FIPS_mode(); - if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ -@@ -1200,6 +1199,8 @@ Init_openssl(void) + int mode = FIPS_mode(); + if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ +@@ -1200,6 +1200,8 @@ Init_openssl(void) rb_define_const(mOSSL, "OPENSSL_FIPS", #ifdef OPENSSL_FIPS - Qtrue + Qtrue +#elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time. + FIPS_mode() ? Qtrue : Qfalse #else - Qfalse + Qfalse #endif -diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c +diff --git ruby/ext/openssl/ossl_pkcs12.c ruby/ext/openssl/ossl_pkcs12.c index fb947df..969aa25 100644 ---- a/ext/openssl/ossl_pkcs12.c -+++ b/ext/openssl/ossl_pkcs12.c +--- ruby/ext/openssl/ossl_pkcs12.c ++++ ruby/ext/openssl/ossl_pkcs12.c @@ -134,6 +134,12 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self) if (!NIL_P(keytype)) ktype = NUM2INT(keytype); @@ -47,18 +46,18 @@ index fb947df..969aa25 100644 obj = NewPKCS12(cPKCS12); x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca); p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s, -diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c -index 92842f9..ad59300 100644 ---- a/ext/openssl/ossl_pkey_ec.c -+++ b/ext/openssl/ossl_pkey_ec.c +diff --git ruby/ext/openssl/ossl_pkey_ec.c ruby/ext/openssl/ossl_pkey_ec.c +index 92842f9..1af95d0 100644 +--- ruby/ext/openssl/ossl_pkey_ec.c ++++ ruby/ext/openssl/ossl_pkey_ec.c @@ -601,8 +601,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) - ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ + ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ if (nid == NID_undef) ossl_raise(eEC_GROUP, "unknown curve name (%"PRIsVALUE")", arg1); - +#if !defined(OPENSSL_IS_AWSLC) group = EC_GROUP_new_by_curve_name(nid); -+#else ++#else /* EC_GROUPs are static and immutable by default in AWS-LC. */ + group = EC_GROUP_new_by_curve_name_mutable(nid); +#endif if (group == NULL) @@ -74,19 +73,29 @@ index 92842f9..ad59300 100644 ossl_raise(eEC_POINT, "EC_POINT_make_affine"); #endif @@ -1460,7 +1463,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) - if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) - ossl_raise(eEC_POINT, NULL); + if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) + ossl_raise(eEC_POINT, NULL); } else { -#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) +#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC) rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ "supported by this OpenSSL version"); #else -diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c -index f639926..b6b41d4 100644 ---- a/ext/openssl/ossl_ssl.c -+++ b/ext/openssl/ossl_ssl.c -@@ -1241,7 +1241,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) +diff --git ruby/ext/openssl/ossl_ssl.c ruby/ext/openssl/ossl_ssl.c +index f639926..82e4e26 100644 +--- ruby/ext/openssl/ossl_ssl.c ++++ ruby/ext/openssl/ossl_ssl.c +@@ -821,7 +821,9 @@ ossl_sslctx_setup(VALUE self) + #endif + + #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH ++#if !defined(OPENSSL_IS_AWSLC) /* AWS-LC has no support for TLS 1.3 PHA. */ + SSL_CTX_set_post_handshake_auth(ctx, 1); ++#endif + #endif + + val = rb_attr_get(self, id_i_cert_store); +@@ -1241,7 +1243,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) rb_check_frozen(self); GetSSLCTX(self, ctx); @@ -95,25 +104,24 @@ index f639926..b6b41d4 100644 SSL_CTX_set_security_level(ctx, NUM2INT(value)); #else (void)ctx; -diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb -index 7b1722e..67bbee0 100644 ---- a/test/openssl/test_asn1.rb -+++ b/test/openssl/test_asn1.rb -@@ -451,7 +451,8 @@ def test_basic_asn1data +diff --git ruby/test/openssl/test_asn1.rb ruby/test/openssl/test_asn1.rb +index 7b1722e..e09d680 100644 +--- ruby/test/openssl/test_asn1.rb ++++ ruby/test/openssl/test_asn1.rb +@@ -451,7 +451,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase encode_decode_test B(%w{ 81 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :CONTEXT_SPECIFIC) encode_decode_test B(%w{ C1 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :PRIVATE) encode_decode_test B(%w{ 1F 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 32, :UNIVERSAL) - encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) -+ # AWS-LC does not support indefinite lengths with the UNIVERSAL tag. -+ encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) if !aws_lc? ++ encode_decode_test B(%w{ 9F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :CONTEXT_SPECIFIC) encode_decode_test B(%w{ 41 02 AB CD }), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :APPLICATION) encode_decode_test B(%w{ 41 81 80 } + %w{ AB CD } * 64), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 64), 1, :APPLICATION) encode_decode_test B(%w{ 41 82 01 00 } + %w{ AB CD } * 128), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 128), 1, :APPLICATION) -diff --git a/test/openssl/test_bn.rb b/test/openssl/test_bn.rb -index 77af140..73657a7 100644 ---- a/test/openssl/test_bn.rb -+++ b/test/openssl/test_bn.rb -@@ -319,6 +319,8 @@ def test_argument_error +diff --git ruby/test/openssl/test_bn.rb ruby/test/openssl/test_bn.rb +index 77af140..d2007f4 100644 +--- ruby/test/openssl/test_bn.rb ++++ ruby/test/openssl/test_bn.rb +@@ -319,6 +319,8 @@ class OpenSSL::TestBN < OpenSSL::TestCase end def test_get_flags_and_set_flags @@ -122,11 +130,22 @@ index 77af140..73657a7 100644 e = OpenSSL::BN.new(999) assert_equal(0, e.get_flags(OpenSSL::BN::CONSTTIME)) -diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb -index 24a215a..8f4eb39 100644 ---- a/test/openssl/test_config.rb -+++ b/test/openssl/test_config.rb -@@ -42,6 +42,9 @@ def test_s_parse +@@ -362,7 +364,9 @@ class OpenSSL::TestBN < OpenSSL::TestCase + assert_equal(true, Ractor.new(@e2) { _1.negative? }.take) + assert_include(128..255, Ractor.new { OpenSSL::BN.rand(8)}.take) + assert_include(0...2**32, Ractor.new { OpenSSL::BN.generate_prime(32) }.take) +- assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ if !aws_lc? # AWS-LC does not support BN::CONSTTIME. ++ assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ end + end + end + end +diff --git ruby/test/openssl/test_config.rb ruby/test/openssl/test_config.rb +index 24a215a..7139e30 100644 +--- ruby/test/openssl/test_config.rb ++++ ruby/test/openssl/test_config.rb +@@ -42,6 +42,9 @@ __EOD__ end def test_s_parse_format @@ -136,12 +155,16 @@ index 24a215a..8f4eb39 100644 c = OpenSSL::Config.parse(<<__EOC__) baz =qx\t # "baz = qx" -@@ -216,12 +219,12 @@ def test_get_value +@@ -215,13 +218,15 @@ __EOC__ + assert_raise(TypeError) do @it.get_value(nil, 'HOME') # not allowed unlike Config#value end - # fallback to 'default' ugly... +- # fallback to 'default' ugly... - assert_equal('.', @it.get_value('unknown', 'HOME')) -+ assert_equal('.', @it.get_value('unknown', 'HOME')) if !aws_lc? # AWS-LC does not support the fallback ++ unless aws_lc? # AWS-LC does not support the fallback ++ # fallback to 'default' ugly... ++ assert_equal('.', @it.get_value('unknown', 'HOME')) ++ end end def test_get_value_ENV @@ -152,11 +175,11 @@ index 24a215a..8f4eb39 100644 key = ENV.keys.first assert_not_nil(key) # make sure we have at least one ENV var. -diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb +diff --git ruby/test/openssl/test_fips.rb ruby/test/openssl/test_fips.rb index 8cd474f..d811590 100644 ---- a/test/openssl/test_fips.rb -+++ b/test/openssl/test_fips.rb -@@ -5,12 +5,15 @@ +--- ruby/test/openssl/test_fips.rb ++++ ruby/test/openssl/test_fips.rb +@@ -5,12 +5,15 @@ if defined?(OpenSSL) class OpenSSL::TestFIPS < OpenSSL::TestCase def test_fips_mode_is_reentrant @@ -173,11 +196,11 @@ index 8cd474f..d811590 100644 assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") require #{__FILE__.dump} -diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb +diff --git ruby/test/openssl/test_pkcs12.rb ruby/test/openssl/test_pkcs12.rb index ec67674..be21f47 100644 ---- a/test/openssl/test_pkcs12.rb -+++ b/test/openssl/test_pkcs12.rb -@@ -159,7 +159,6 @@ def test_create_with_mac_itr +--- ruby/test/openssl/test_pkcs12.rb ++++ ruby/test/openssl/test_pkcs12.rb +@@ -159,7 +159,6 @@ module OpenSSL DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, nil, @@ -185,11 +208,11 @@ index ec67674..be21f47 100644 2048 ) -diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb -index ba8b93d..7a23104 100644 ---- a/test/openssl/test_pkcs7.rb -+++ b/test/openssl/test_pkcs7.rb -@@ -191,6 +191,8 @@ def test_set_type_encrypted +diff --git ruby/test/openssl/test_pkcs7.rb ruby/test/openssl/test_pkcs7.rb +index ba8b93d..f721ca8 100644 +--- ruby/test/openssl/test_pkcs7.rb ++++ ruby/test/openssl/test_pkcs7.rb +@@ -191,6 +191,8 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase end def test_smime @@ -198,55 +221,34 @@ index ba8b93d..7a23104 100644 store = OpenSSL::X509::Store.new store.add_cert(@ca_cert) ca_certs = [@ca_cert] -@@ -315,12 +317,42 @@ def test_split_content - AwlEke0Uze1367QKgxM0nc3SZDlptY7zPIJC5saWXb8Rt2bw2JxEBOTavrp+ZwJ8 - tcH961onq8Tme2ICaCzk - -----END PKCS7----- -+END -+ # NOTE: below PEM differs very slightly from upstream ruby -+ # in that it encodes the inner EncryptedContent in -+ # definite-length DER OCTET_STRING whereas upstream (i.e. -+ # OpenSSL) encodes EncryptedContent as indefinite-length -+ # BER OCTET_STRING. The discrepancy is due to AWS-LC's lack -+ # of support for indefinite OCTET_STRINGS. -+ pki_message_content_pem_awslc = < ctx { ctx.ssl_version = :TLSv1_2 ctx.ciphers = "aNULL" -@@ -1494,20 +1496,22 @@ def test_get_ephemeral_key +@@ -1494,20 +1496,22 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end @@ -469,17 +466,17 @@ index db76f1d..ec33cda 100644 - ctx.ciphers = "EDH" - server_connect(port, ctx) { |ssl| - assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key -+ if !aws_lc? ++ if !aws_lc? # AWS-LC does not support DHE ciphersuites. + # DHE -+ # TODO: How to test this with TLS 1.3? ++ # TODO: SSL_CTX_set1_groups() is required for testing this with TLS 1.3 + ctx_proc2 = proc { |ctx| -+ ctx.ssl_version = :TLSv1_2 ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION + ctx.ciphers = "EDH" + ctx.tmp_dh = Fixtures.pkey("dh-1") } + start_server(ctx_proc: ctx_proc2) do |port| + ctx = OpenSSL::SSL::SSLContext.new -+ ctx.ssl_version = :TLSv1_2 ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION + ctx.ciphers = "EDH" + server_connect(port, ctx) { |ssl| + assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key @@ -488,9 +485,11 @@ index db76f1d..ec33cda 100644 end # ECDHE -@@ -1572,11 +1576,11 @@ def test_fallback_scsv +@@ -1571,12 +1575,13 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ctx2.enable_fallback_scsv ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ++ # AWS-LC has slightly different error messages in all-caps. t = Thread.new { - assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { + assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { @@ -502,17 +501,20 @@ index db76f1d..ec33cda 100644 s1.accept } t.join -@@ -1587,6 +1591,8 @@ def test_fallback_scsv +@@ -1587,6 +1592,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_tmp_dh_callback -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + dh = Fixtures.pkey("dh-1") called = false ctx_proc = -> ctx { -@@ -1654,7 +1660,7 @@ def test_ciphersuites_method_bogus_csuite +@@ -1652,9 +1659,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ssl_ctx = OpenSSL::SSL::SSLContext.new + pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=) ++ # AWS-LC has slightly different error messages in all-caps. assert_raise_with_message( OpenSSL::SSL::SSLError, - /SSL_CTX_set_ciphersuites: no cipher match/i @@ -520,8 +522,11 @@ index db76f1d..ec33cda 100644 ) { ssl_ctx.ciphersuites = 'BOGUS' } end -@@ -1698,11 +1704,13 @@ def test_ciphers_method_bogus_csuite +@@ -1696,13 +1704,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ssl_ctx = OpenSSL::SSL::SSLContext.new + ++ # AWS-LC has slightly different error messages in all-caps. assert_raise_with_message( OpenSSL::SSL::SSLError, - /SSL_CTX_set_cipher_list: no cipher match/i @@ -530,25 +535,25 @@ index db76f1d..ec33cda 100644 end def test_connect_works_when_setting_dh_callback_to_nil -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + ctx_proc = -> ctx { ctx.max_version = :TLS1_2 ctx.ciphers = "DH:!NULL" # use DH -@@ -1718,6 +1726,8 @@ def test_connect_works_when_setting_dh_callback_to_nil +@@ -1718,6 +1729,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_tmp_dh -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + dh = Fixtures.pkey("dh-1") ctx_proc = -> ctx { ctx.max_version = :TLS1_2 -diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb -index b243201..ccc764a 100644 ---- a/test/openssl/test_ssl_session.rb -+++ b/test/openssl/test_ssl_session.rb -@@ -28,9 +28,10 @@ def test_session +diff --git ruby/test/openssl/test_ssl_session.rb ruby/test/openssl/test_ssl_session.rb +index b243201..0059fb0 100644 +--- ruby/test/openssl/test_ssl_session.rb ++++ ruby/test/openssl/test_ssl_session.rb +@@ -28,9 +28,10 @@ class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase end end @@ -560,7 +565,7 @@ index b243201..ccc764a 100644 MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5 -@@ -54,9 +55,10 @@ def test_session +@@ -54,9 +55,10 @@ j+RBGfCFrrQbBdnkFI/ztgM= -----END SSL SESSION PARAMETERS----- __EOS__ @@ -572,7 +577,7 @@ index b243201..ccc764a 100644 lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53 hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi -@@ -120,7 +122,8 @@ def test_resumption +@@ -120,7 +122,8 @@ __EOS__ ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET # Disable server-side session cache which is enabled by default ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF @@ -582,26 +587,35 @@ index b243201..ccc764a 100644 } start_server(ctx_proc: ctx_proc) do |port| sess1 = server_connect_with_session(port, nil, nil) { |ssl| -@@ -238,10 +241,12 @@ def test_ctx_client_session_cb +@@ -238,14 +241,18 @@ __EOS__ end server_connect_with_session(port, ctx, nil) { |ssl| - assert_equal(1, ctx.session_cache_stats[:cache_num]) -+ # AWS-LC doesn't support internal session caching on the client, but -+ # the callback is still enabled as expected. -+ assert_equal(1, ctx.session_cache_stats[:cache_num]) if !aws_lc? assert_equal(1, ctx.session_cache_stats[:connect_good]) assert_equal([ssl, ssl.session], called[:new]) - assert(ctx.session_remove(ssl.session)) -+ assert(ctx.session_remove(ssl.session)) if !aws_lc? - assert(!ctx.session_remove(ssl.session)) - if TEST_SESSION_REMOVE_CB - assert_equal([ctx, ssl.session], called[:remove]) -diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb +- assert(!ctx.session_remove(ssl.session)) +- if TEST_SESSION_REMOVE_CB +- assert_equal([ctx, ssl.session], called[:remove]) ++ # AWS-LC doesn't support internal session caching on the client, but ++ # the callback is still enabled as expected. ++ unless aws_lc? ++ assert_equal(1, ctx.session_cache_stats[:cache_num]) ++ assert_equal(true, ctx.session_remove(ssl.session)) ++ if TEST_SESSION_REMOVE_CB ++ assert_equal([ctx, ssl.session], called[:remove]) ++ end + end ++ assert_equal(false, ctx.session_remove(ssl.session)) + } + end + end +diff --git ruby/test/openssl/test_x509store.rb ruby/test/openssl/test_x509store.rb index d6c0e70..dad4036 100644 ---- a/test/openssl/test_x509store.rb -+++ b/test/openssl/test_x509store.rb -@@ -331,7 +331,7 @@ def test_verify_with_crl +--- ruby/test/openssl/test_x509store.rb ++++ ruby/test/openssl/test_x509store.rb +@@ -331,7 +331,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase def test_add_cert_duplicate # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error # if the given certificate is already in the X509_STORE @@ -610,10 +624,10 @@ index d6c0e70..dad4036 100644 ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") ca1_key = Fixtures.pkey("rsa-1") ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil) -diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb -index 4ebcb98..b958c48 100644 ---- a/test/openssl/utils.rb -+++ b/test/openssl/utils.rb +diff --git ruby/test/openssl/utils.rb ruby/test/openssl/utils.rb +index 4ebcb98..18bb0c3 100644 +--- ruby/test/openssl/utils.rb ++++ ruby/test/openssl/utils.rb @@ -2,10 +2,6 @@ begin require "openssl" @@ -625,7 +639,7 @@ index 4ebcb98..b958c48 100644 rescue LoadError end -@@ -132,7 +128,7 @@ def get_subject_key_id(cert, hex: true) +@@ -132,7 +128,7 @@ module OpenSSL::TestUtils end def openssl?(major = nil, minor = nil, fix = nil, patch = 0) @@ -634,16 +648,29 @@ index 4ebcb98..b958c48 100644 return true unless major OpenSSL::OPENSSL_VERSION_NUMBER >= major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 -@@ -143,6 +139,12 @@ def libressl?(major = nil, minor = nil, fix = nil) +@@ -143,6 +139,10 @@ module OpenSSL::TestUtils return false unless version !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 end + -+ def aws_lc?(major = nil, minor = nil, fix = nil) -+ version = OpenSSL::OPENSSL_VERSION.scan(/AWS-LC (\d+)\.(\d+)\.(\d+).*/)[0] -+ return false unless version -+ !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 ++ def aws_lc? ++ OpenSSL::OPENSSL_VERSION.include?("AWS-LC") + end end class OpenSSL::TestCase < Test::Unit::TestCase +@@ -298,6 +298,14 @@ class OpenSSL::PKeyTestCase < OpenSSL::TestCase + assert_equal base.send(comp), test.send(comp) + } + end ++ ++ def assert_sign_verify_false_or_error ++ ret = yield ++ rescue => e ++ assert_kind_of(OpenSSL::PKey::PKeyError, e) ++ else ++ assert_equal(false, ret) ++ end + end + + module OpenSSL::Certs diff --git a/tests/ci/integration/ruby_patch/ruby_3_3/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_3/aws-lc-ruby-temp.patch index 3e2e34b1fd..f3a480365a 100644 --- a/tests/ci/integration/ruby_patch/ruby_3_3/aws-lc-ruby-temp.patch +++ b/tests/ci/integration/ruby_patch/ruby_3_3/aws-lc-ruby-temp.patch @@ -1,4 +1,4 @@ -diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c +diff --git ruby/ext/openssl/ossl.c ruby/ext/openssl/ossl.c index 00eded5..86cc918 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -18,21 +18,21 @@ index 00eded5..86cc918 100644 -#elif defined(OPENSSL_FIPS) +#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) if (RTEST(enabled)) { - int mode = FIPS_mode(); - if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ + int mode = FIPS_mode(); + if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ @@ -1113,6 +1113,8 @@ Init_openssl(void) Qtrue #elif defined(OPENSSL_FIPS) - Qtrue + Qtrue +#elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time. + FIPS_mode() ? Qtrue : Qfalse #else - Qfalse + Qfalse #endif -diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c -index 164b2da..c4a8f94 100644 ---- a/ext/openssl/ossl_pkcs12.c -+++ b/ext/openssl/ossl_pkcs12.c +diff --git ruby/ext/openssl/ossl_pkcs12.c ruby/ext/openssl/ossl_pkcs12.c +index fb947df..969aa25 100644 +--- ruby/ext/openssl/ossl_pkcs12.c ++++ ruby/ext/openssl/ossl_pkcs12.c @@ -134,6 +134,12 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self) if (!NIL_P(keytype)) ktype = NUM2INT(keytype); @@ -46,24 +46,24 @@ index 164b2da..c4a8f94 100644 obj = NewPKCS12(cPKCS12); x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca); p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s, -diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c -index 4b3a1fd..aa7b234 100644 ---- a/ext/openssl/ossl_pkey_ec.c -+++ b/ext/openssl/ossl_pkey_ec.c -@@ -657,8 +657,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) - ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ +diff --git ruby/ext/openssl/ossl_pkey_ec.c ruby/ext/openssl/ossl_pkey_ec.c +index 92842f9..1af95d0 100644 +--- ruby/ext/openssl/ossl_pkey_ec.c ++++ ruby/ext/openssl/ossl_pkey_ec.c +@@ -601,8 +601,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) + ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ if (nid == NID_undef) ossl_raise(eEC_GROUP, "unknown curve name (%"PRIsVALUE")", arg1); - +#if !defined(OPENSSL_IS_AWSLC) group = EC_GROUP_new_by_curve_name(nid); -+#else ++#else /* EC_GROUPs are static and immutable by default in AWS-LC. */ + group = EC_GROUP_new_by_curve_name_mutable(nid); +#endif if (group == NULL) ossl_raise(eEC_GROUP, "unable to create curve (%"PRIsVALUE")", arg1); -@@ -1367,7 +1370,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self) +@@ -1311,7 +1314,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self) GetECPointGroup(self, group); rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated"); @@ -72,47 +72,56 @@ index 4b3a1fd..aa7b234 100644 if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1) ossl_raise(eEC_POINT, "EC_POINT_make_affine"); #endif -@@ -1516,7 +1519,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) - if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) - ossl_raise(eEC_POINT, NULL); +@@ -1460,7 +1463,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) + if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) + ossl_raise(eEC_POINT, NULL); } else { -#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) +#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC) rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ "supported by this OpenSSL version"); #else -diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c -index 236d455..f6aa0eb 100644 ---- a/ext/openssl/ossl_ssl.c -+++ b/ext/openssl/ossl_ssl.c +diff --git ruby/ext/openssl/ossl_ssl.c ruby/ext/openssl/ossl_ssl.c +index f639926..4c74476 100644 +--- ruby/ext/openssl/ossl_ssl.c ++++ ruby/ext/openssl/ossl_ssl.c +@@ -821,7 +821,9 @@ ossl_sslctx_setup(VALUE self) + #endif + + #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH ++#if !defined(OPENSSL_IS_AWSLC) /* AWS-LC has no support for TLS 1.3 PHA. */ + SSL_CTX_set_post_handshake_auth(ctx, 1); ++#endif + #endif + + val = rb_attr_get(self, id_i_cert_store); @@ -1241,7 +1241,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) rb_check_frozen(self); GetSSLCTX(self, ctx); - + -#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) +#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) && !defined(OPENSSL_IS_AWSLC) SSL_CTX_set_security_level(ctx, NUM2INT(value)); #else (void)ctx; -diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb -index 7b1722e..67bbee0 100644 ---- a/test/openssl/test_asn1.rb -+++ b/test/openssl/test_asn1.rb -@@ -451,7 +451,8 @@ def test_basic_asn1data +diff --git ruby/test/openssl/test_asn1.rb ruby/test/openssl/test_asn1.rb +index 7b1722e..e09d680 100644 +--- ruby/test/openssl/test_asn1.rb ++++ ruby/test/openssl/test_asn1.rb +@@ -451,7 +451,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase encode_decode_test B(%w{ 81 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :CONTEXT_SPECIFIC) encode_decode_test B(%w{ C1 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :PRIVATE) encode_decode_test B(%w{ 1F 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 32, :UNIVERSAL) - encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) -+ # AWS-LC does not support indefinite lengths with the UNIVERSAL tag. -+ encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) if !aws_lc? ++ encode_decode_test B(%w{ 9F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :CONTEXT_SPECIFIC) encode_decode_test B(%w{ 41 02 AB CD }), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :APPLICATION) encode_decode_test B(%w{ 41 81 80 } + %w{ AB CD } * 64), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 64), 1, :APPLICATION) encode_decode_test B(%w{ 41 82 01 00 } + %w{ AB CD } * 128), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 128), 1, :APPLICATION) -diff --git a/test/openssl/test_bn.rb b/test/openssl/test_bn.rb -index ea88ff0..1eb58e5 100644 ---- a/test/openssl/test_bn.rb -+++ b/test/openssl/test_bn.rb -@@ -321,6 +321,8 @@ def test_argument_error +diff --git ruby/test/openssl/test_bn.rb ruby/test/openssl/test_bn.rb +index 77af140..d2007f4 100644 +--- ruby/test/openssl/test_bn.rb ++++ ruby/test/openssl/test_bn.rb +@@ -319,6 +319,8 @@ class OpenSSL::TestBN < OpenSSL::TestCase end def test_get_flags_and_set_flags @@ -121,11 +130,22 @@ index ea88ff0..1eb58e5 100644 e = OpenSSL::BN.new(999) assert_equal(0, e.get_flags(OpenSSL::BN::CONSTTIME)) -diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb -index 6dbb9c6..1d544d4 100644 ---- a/test/openssl/test_config.rb -+++ b/test/openssl/test_config.rb -@@ -42,6 +42,9 @@ def test_s_parse +@@ -362,7 +364,9 @@ class OpenSSL::TestBN < OpenSSL::TestCase + assert_equal(true, Ractor.new(@e2) { _1.negative? }.take) + assert_include(128..255, Ractor.new { OpenSSL::BN.rand(8)}.take) + assert_include(0...2**32, Ractor.new { OpenSSL::BN.generate_prime(32) }.take) +- assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ if !aws_lc? # AWS-LC does not support BN::CONSTTIME. ++ assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ end + end + end + end +diff --git ruby/test/openssl/test_config.rb ruby/test/openssl/test_config.rb +index 24a215a..7139e30 100644 +--- ruby/test/openssl/test_config.rb ++++ ruby/test/openssl/test_config.rb +@@ -42,6 +42,9 @@ __EOD__ end def test_s_parse_format @@ -135,12 +155,16 @@ index 6dbb9c6..1d544d4 100644 c = OpenSSL::Config.parse(<<__EOC__) baz =qx\t # "baz = qx" -@@ -212,12 +215,12 @@ def test_get_value +@@ -215,13 +218,15 @@ __EOC__ + assert_raise(TypeError) do @it.get_value(nil, 'HOME') # not allowed unlike Config#value end - # fallback to 'default' ugly... +- # fallback to 'default' ugly... - assert_equal('.', @it.get_value('unknown', 'HOME')) -+ assert_equal('.', @it.get_value('unknown', 'HOME')) if !aws_lc? # AWS-LC does not support the fallback ++ unless aws_lc? # AWS-LC does not support the fallback ++ # fallback to 'default' ugly... ++ assert_equal('.', @it.get_value('unknown', 'HOME')) ++ end end def test_get_value_ENV @@ -151,32 +175,10 @@ index 6dbb9c6..1d544d4 100644 key = ENV.keys.first assert_not_nil(key) # make sure we have at least one ENV var. -diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb -index 4a3dd43..8d8737b 100644 ---- a/test/openssl/test_fips.rb -+++ b/test/openssl/test_fips.rb -@@ -5,9 +5,7 @@ - - class OpenSSL::TestFIPS < OpenSSL::TestCase - def test_fips_mode_get_is_true_on_fips_mode_enabled -- unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] -- omit "Only for FIPS mode environment" -- end -+ omit_on_non_fips - - assert_separately(["-ropenssl"], <<~"end;") - assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled" -@@ -15,9 +13,7 @@ def test_fips_mode_get_is_true_on_fips_mode_enabled - end - - def test_fips_mode_get_is_false_on_fips_mode_disabled -- if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] -- omit "Only for non-FIPS mode environment" -- end -+ omit_on_fips - - assert_separately(["-ropenssl"], <<~"end;") - message = ".fips_mode should return false on FIPS mode disabled. " \ +diff --git ruby/test/openssl/test_fips.rb ruby/test/openssl/test_fips.rb +index 8cd474f..d811590 100644 +--- ruby/test/openssl/test_fips.rb ++++ ruby/test/openssl/test_fips.rb @@ -28,6 +24,8 @@ def test_fips_mode_get_is_false_on_fips_mode_disabled end @@ -195,11 +197,11 @@ index 4a3dd43..8d8737b 100644 assert_separately(["-ropenssl"], <<~"end;") begin -diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb -index e6b91b5..8a87776 100644 ---- a/test/openssl/test_pkcs12.rb -+++ b/test/openssl/test_pkcs12.rb -@@ -159,7 +159,6 @@ def test_create_with_mac_itr +diff --git ruby/test/openssl/test_pkcs12.rb ruby/test/openssl/test_pkcs12.rb +index ec67674..be21f47 100644 +--- ruby/test/openssl/test_pkcs12.rb ++++ ruby/test/openssl/test_pkcs12.rb +@@ -159,7 +159,6 @@ module OpenSSL DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, nil, @@ -207,11 +209,11 @@ index e6b91b5..8a87776 100644 2048 ) -diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb -index ba8b93d..7a23104 100644 ---- a/test/openssl/test_pkcs7.rb -+++ b/test/openssl/test_pkcs7.rb -@@ -191,6 +191,8 @@ def test_set_type_encrypted +diff --git ruby/test/openssl/test_pkcs7.rb ruby/test/openssl/test_pkcs7.rb +index ba8b93d..f721ca8 100644 +--- ruby/test/openssl/test_pkcs7.rb ++++ ruby/test/openssl/test_pkcs7.rb +@@ -191,6 +191,8 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase end def test_smime @@ -220,63 +222,33 @@ index ba8b93d..7a23104 100644 store = OpenSSL::X509::Store.new store.add_cert(@ca_cert) ca_certs = [@ca_cert] -@@ -315,12 +317,42 @@ def test_split_content - AwlEke0Uze1367QKgxM0nc3SZDlptY7zPIJC5saWXb8Rt2bw2JxEBOTavrp+ZwJ8 - tcH961onq8Tme2ICaCzk - -----END PKCS7----- -+END -+ # NOTE: below PEM differs very slightly from upstream ruby -+ # in that it encodes the inner EncryptedContent in -+ # definite-length DER OCTET_STRING whereas upstream (i.e. -+ # OpenSSL) encodes EncryptedContent as indefinite-length -+ # BER OCTET_STRING. The discrepancy is due to AWS-LC's lack -+ # of support for indefinite OCTET_STRINGS. -+ pki_message_content_pem_awslc = < ctx { ctx.ssl_version = :TLSv1_2 @@ -502,7 +469,7 @@ index 07dc9a3..eb3458a 100644 server_connect(port, ctx) } } -@@ -1530,20 +1533,22 @@ def test_get_ephemeral_key +@@ -1494,20 +1496,22 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end @@ -519,17 +486,17 @@ index 07dc9a3..eb3458a 100644 - ctx.ciphers = "EDH" - server_connect(port, ctx) { |ssl| - assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key -+ if !aws_lc? ++ if !aws_lc? # AWS-LC does not support DHE ciphersuites. + # DHE -+ # TODO: How to test this with TLS 1.3? ++ # TODO: SSL_CTX_set1_groups() is required for testing this with TLS 1.3 + ctx_proc2 = proc { |ctx| -+ ctx.ssl_version = :TLSv1_2 ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION + ctx.ciphers = "EDH" + ctx.tmp_dh = Fixtures.pkey("dh-1") } + start_server(ctx_proc: ctx_proc2) do |port| + ctx = OpenSSL::SSL::SSLContext.new -+ ctx.ssl_version = :TLSv1_2 ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION + ctx.ciphers = "EDH" + server_connect(port, ctx) { |ssl| + assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key @@ -538,9 +505,11 @@ index 07dc9a3..eb3458a 100644 end # ECDHE -@@ -1608,11 +1613,11 @@ def test_fallback_scsv +@@ -1571,12 +1575,13 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ctx2.enable_fallback_scsv ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ++ # AWS-LC has slightly different error messages in all-caps. t = Thread.new { - assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { + assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { @@ -552,17 +521,20 @@ index 07dc9a3..eb3458a 100644 s1.accept } t.join -@@ -1623,6 +1628,8 @@ def test_fallback_scsv +@@ -1587,6 +1592,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_tmp_dh_callback -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + dh = Fixtures.pkey("dh-1") called = false ctx_proc = -> ctx { -@@ -1690,7 +1697,7 @@ def test_ciphersuites_method_bogus_csuite +@@ -1652,9 +1659,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ssl_ctx = OpenSSL::SSL::SSLContext.new + pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=) ++ # AWS-LC has slightly different error messages in all-caps. assert_raise_with_message( OpenSSL::SSL::SSLError, - /SSL_CTX_set_ciphersuites: no cipher match/i @@ -570,8 +542,11 @@ index 07dc9a3..eb3458a 100644 ) { ssl_ctx.ciphersuites = 'BOGUS' } end -@@ -1734,11 +1741,13 @@ def test_ciphers_method_bogus_csuite +@@ -1696,13 +1704,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + + ssl_ctx = OpenSSL::SSL::SSLContext.new ++ # AWS-LC has slightly different error messages in all-caps. assert_raise_with_message( OpenSSL::SSL::SSLError, - /SSL_CTX_set_cipher_list: no cipher match/i @@ -580,25 +555,25 @@ index 07dc9a3..eb3458a 100644 end def test_connect_works_when_setting_dh_callback_to_nil -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + ctx_proc = -> ctx { ctx.max_version = :TLS1_2 ctx.ciphers = "DH:!NULL" # use DH -@@ -1754,6 +1763,8 @@ def test_connect_works_when_setting_dh_callback_to_nil +@@ -1718,6 +1729,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_tmp_dh -+ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? + dh = Fixtures.pkey("dh-1") ctx_proc = -> ctx { ctx.max_version = :TLS1_2 -diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb -index 89cf672..846cfe2 100644 ---- a/test/openssl/test_ssl_session.rb -+++ b/test/openssl/test_ssl_session.rb -@@ -28,9 +28,10 @@ def test_session +diff --git ruby/test/openssl/test_ssl_session.rb ruby/test/openssl/test_ssl_session.rb +index b243201..0059fb0 100644 +--- ruby/test/openssl/test_ssl_session.rb ++++ ruby/test/openssl/test_ssl_session.rb +@@ -28,9 +28,10 @@ class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase end end @@ -610,7 +585,7 @@ index 89cf672..846cfe2 100644 MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5 -@@ -54,9 +55,10 @@ def test_session +@@ -54,9 +55,10 @@ j+RBGfCFrrQbBdnkFI/ztgM= -----END SSL SESSION PARAMETERS----- __EOS__ @@ -622,7 +597,7 @@ index 89cf672..846cfe2 100644 lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53 hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi -@@ -120,7 +122,8 @@ def test_resumption +@@ -120,7 +122,8 @@ __EOS__ ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET # Disable server-side session cache which is enabled by default ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF @@ -632,26 +607,35 @@ index 89cf672..846cfe2 100644 } start_server(ctx_proc: ctx_proc) do |port| sess1 = server_connect_with_session(port, nil, nil) { |ssl| -@@ -238,10 +241,12 @@ def test_ctx_client_session_cb +@@ -238,14 +241,18 @@ __EOS__ end server_connect_with_session(port, ctx, nil) { |ssl| - assert_equal(1, ctx.session_cache_stats[:cache_num]) -+ # AWS-LC doesn't support internal session caching on the client, but -+ # the callback is still enabled as expected. -+ assert_equal(1, ctx.session_cache_stats[:cache_num]) if !aws_lc? assert_equal(1, ctx.session_cache_stats[:connect_good]) assert_equal([ssl, ssl.session], called[:new]) - assert(ctx.session_remove(ssl.session)) -+ assert(ctx.session_remove(ssl.session)) if !aws_lc? - assert(!ctx.session_remove(ssl.session)) - if TEST_SESSION_REMOVE_CB - assert_equal([ctx, ssl.session], called[:remove]) -diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb +- assert(!ctx.session_remove(ssl.session)) +- if TEST_SESSION_REMOVE_CB +- assert_equal([ctx, ssl.session], called[:remove]) ++ # AWS-LC doesn't support internal session caching on the client, but ++ # the callback is still enabled as expected. ++ unless aws_lc? ++ assert_equal(1, ctx.session_cache_stats[:cache_num]) ++ assert_equal(true, ctx.session_remove(ssl.session)) ++ if TEST_SESSION_REMOVE_CB ++ assert_equal([ctx, ssl.session], called[:remove]) ++ end + end ++ assert_equal(false, ctx.session_remove(ssl.session)) + } + end + end +diff --git ruby/test/openssl/test_x509store.rb ruby/test/openssl/test_x509store.rb index d6c0e70..dad4036 100644 ---- a/test/openssl/test_x509store.rb -+++ b/test/openssl/test_x509store.rb -@@ -331,7 +331,7 @@ def test_verify_with_crl +--- ruby/test/openssl/test_x509store.rb ++++ ruby/test/openssl/test_x509store.rb +@@ -331,7 +331,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase def test_add_cert_duplicate # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error # if the given certificate is already in the X509_STORE @@ -660,29 +644,42 @@ index d6c0e70..dad4036 100644 ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") ca1_key = Fixtures.pkey("rsa-1") ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil) -diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb -index f6c84ee..a3c5ee0 100644 ---- a/test/openssl/utils.rb -+++ b/test/openssl/utils.rb -@@ -107,7 +107,7 @@ def get_subject_key_id(cert, hex: true) +diff --git ruby/test/openssl/utils.rb ruby/test/openssl/utils.rb +index 4ebcb98..18bb0c3 100644 +--- ruby/test/openssl/utils.rb ++++ ruby/test/openssl/utils.rb +@@ -132,7 +128,7 @@ module OpenSSL::TestUtils end - def openssl?(major = nil, minor = nil, fix = nil, patch = 0, status = 0) + def openssl?(major = nil, minor = nil, fix = nil, patch = 0) - return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") + return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") || OpenSSL::OPENSSL_VERSION.include?("AWS-LC") return true unless major OpenSSL::OPENSSL_VERSION_NUMBER >= - major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 + -@@ -119,6 +119,12 @@ def libressl?(major = nil, minor = nil, fix = nil) + major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 +@@ -143,6 +139,10 @@ module OpenSSL::TestUtils return false unless version !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 end + -+ def aws_lc?(major = nil, minor = nil, fix = nil) -+ version = OpenSSL::OPENSSL_VERSION.scan(/AWS-LC (\d+)\.(\d+)\.(\d+).*/)[0] -+ return false unless version -+ !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 ++ def aws_lc? ++ OpenSSL::OPENSSL_VERSION.include?("AWS-LC") + end end class OpenSSL::TestCase < Test::Unit::TestCase +@@ -298,6 +298,14 @@ class OpenSSL::PKeyTestCase < OpenSSL::TestCase + assert_equal base.send(comp), test.send(comp) + } + end ++ ++ def assert_sign_verify_false_or_error ++ ret = yield ++ rescue => e ++ assert_kind_of(OpenSSL::PKey::PKeyError, e) ++ else ++ assert_equal(false, ret) ++ end + end + + module OpenSSL::Certs diff --git a/tests/ci/integration/ruby_patch/ruby_3_4/aws-lc-ruby.patch b/tests/ci/integration/ruby_patch/ruby_3_4/aws-lc-ruby.patch new file mode 100644 index 0000000000..4abb75f62f --- /dev/null +++ b/tests/ci/integration/ruby_patch/ruby_3_4/aws-lc-ruby.patch @@ -0,0 +1,739 @@ +diff --git ruby/ext/openssl/ossl.c ruby/ext/openssl/ossl.c +index 1eb0f95..2b0a39a 100644 +--- ruby/ext/openssl/ossl.c ++++ ruby/ext/openssl/ossl.c +@@ -411,7 +411,7 @@ ossl_fips_mode_get(VALUE self) + VALUE enabled; + enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse; + return enabled; +-#elif defined(OPENSSL_FIPS) ++#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) + VALUE enabled; + enabled = FIPS_mode() ? Qtrue : Qfalse; + return enabled; +@@ -446,7 +446,7 @@ ossl_fips_mode_set(VALUE self, VALUE enabled) + } + } + return enabled; +-#elif defined(OPENSSL_FIPS) ++#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) + if (RTEST(enabled)) { + int mode = FIPS_mode(); + if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ +@@ -1113,6 +1113,8 @@ Init_openssl(void) + Qtrue + #elif defined(OPENSSL_FIPS) + Qtrue ++#elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time. ++ FIPS_mode() ? Qtrue : Qfalse + #else + Qfalse + #endif +diff --git ruby/ext/openssl/ossl_pkcs12.c ruby/ext/openssl/ossl_pkcs12.c +index bda90ae..5042b2d 100644 +--- ruby/ext/openssl/ossl_pkcs12.c ++++ ruby/ext/openssl/ossl_pkcs12.c +@@ -134,9 +134,15 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self) + if (!NIL_P(keytype)) + ktype = NUM2INT(keytype); + ++#if defined(OPENSSL_IS_AWSLC) ++ if (ktype != 0) { ++ ossl_raise(rb_eArgError, "Unknown key usage type %"PRIsVALUE, INT2NUM(ktype)); ++ } ++#else + if (ktype != 0 && ktype != KEY_SIG && ktype != KEY_EX) { + ossl_raise(rb_eArgError, "Unknown key usage type %"PRIsVALUE, INT2NUM(ktype)); + } ++#endif + + obj = NewPKCS12(cPKCS12); + x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca); +@@ -320,7 +326,9 @@ Init_ossl_pkcs12(void) + rb_define_method(cPKCS12, "to_der", ossl_pkcs12_to_der, 0); + rb_define_method(cPKCS12, "set_mac", pkcs12_set_mac, -1); + ++#if !defined(OPENSSL_IS_AWSLC) + /* MSIE specific PKCS12 key usage extensions */ + rb_define_const(cPKCS12, "KEY_EX", INT2NUM(KEY_EX)); + rb_define_const(cPKCS12, "KEY_SIG", INT2NUM(KEY_SIG)); ++#endif + } +diff --git ruby/ext/openssl/ossl_pkey_ec.c ruby/ext/openssl/ossl_pkey_ec.c +index 9852be6..f970b06 100644 +--- ruby/ext/openssl/ossl_pkey_ec.c ++++ ruby/ext/openssl/ossl_pkey_ec.c +@@ -657,8 +657,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) + ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */ + if (nid == NID_undef) + ossl_raise(eEC_GROUP, "unknown curve name (%"PRIsVALUE")", arg1); +- ++#if !defined(OPENSSL_IS_AWSLC) + group = EC_GROUP_new_by_curve_name(nid); ++#else /* EC_GROUPs are static and immutable by default in AWS-LC. */ ++ group = EC_GROUP_new_by_curve_name_mutable(nid); ++#endif + if (group == NULL) + ossl_raise(eEC_GROUP, "unable to create curve (%"PRIsVALUE")", arg1); + +@@ -1367,7 +1370,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self) + GetECPointGroup(self, group); + + rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated"); +-#if !OSSL_OPENSSL_PREREQ(3, 0, 0) ++#if !OSSL_OPENSSL_PREREQ(3, 0, 0) && !defined(OPENSSL_IS_AWSLC) + if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1) + ossl_raise(eEC_POINT, "EC_POINT_make_affine"); + #endif +@@ -1516,7 +1519,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) + if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) + ossl_raise(eEC_POINT, NULL); + } else { +-#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) ++#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC) + rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ + "supported by this OpenSSL version"); + #else +diff --git ruby/ext/openssl/ossl_ssl.c ruby/ext/openssl/ossl_ssl.c +index 2525d0c..172aecc 100644 +--- ruby/ext/openssl/ossl_ssl.c ++++ ruby/ext/openssl/ossl_ssl.c +@@ -823,7 +823,9 @@ ossl_sslctx_setup(VALUE self) + #endif + + #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH ++#if !defined(OPENSSL_IS_AWSLC) /* AWS-LC has no support for TLS 1.3 PHA. */ + SSL_CTX_set_post_handshake_auth(ctx, 1); ++#endif + #endif + + val = rb_attr_get(self, id_i_cert_store); +@@ -1241,7 +1241,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) + rb_check_frozen(self); + GetSSLCTX(self, ctx); + +-#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) ++#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) && !defined(OPENSSL_IS_AWSLC) + SSL_CTX_set_security_level(ctx, NUM2INT(value)); + #else + (void)ctx; +diff --git ruby/test/openssl/test_asn1.rb ruby/test/openssl/test_asn1.rb +index 354b587..869ecc0 100644 +--- ruby/test/openssl/test_asn1.rb ++++ ruby/test/openssl/test_asn1.rb +@@ -458,7 +458,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase + encode_decode_test B(%w{ 81 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :CONTEXT_SPECIFIC) + encode_decode_test B(%w{ C1 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 1, :PRIVATE) + encode_decode_test B(%w{ 1F 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 32, :UNIVERSAL) +- encode_decode_test B(%w{ 1F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :UNIVERSAL) ++ encode_decode_test B(%w{ 9F C0 20 00 }), OpenSSL::ASN1::ASN1Data.new(B(%w{}), 8224, :CONTEXT_SPECIFIC) + encode_decode_test B(%w{ 41 02 AB CD }), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :APPLICATION) + encode_decode_test B(%w{ 41 81 80 } + %w{ AB CD } * 64), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 64), 1, :APPLICATION) + encode_decode_test B(%w{ 41 82 01 00 } + %w{ AB CD } * 128), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 128), 1, :APPLICATION) +diff --git ruby/test/openssl/test_bn.rb ruby/test/openssl/test_bn.rb +index 1217f25..5b68544 100644 +--- ruby/test/openssl/test_bn.rb ++++ ruby/test/openssl/test_bn.rb +@@ -321,6 +321,8 @@ class OpenSSL::TestBN < OpenSSL::TestCase + end + + def test_get_flags_and_set_flags ++ return if aws_lc? # AWS-LC does not support BN::CONSTTIME. ++ + e = OpenSSL::BN.new(999) + + assert_equal(0, e.get_flags(OpenSSL::BN::CONSTTIME)) +@@ -364,7 +366,9 @@ class OpenSSL::TestBN < OpenSSL::TestCase + assert_equal(true, Ractor.new(@e2) { _1.negative? }.take) + assert_include(128..255, Ractor.new { OpenSSL::BN.rand(8)}.take) + assert_include(0...2**32, Ractor.new { OpenSSL::BN.generate_prime(32) }.take) +- assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ if !aws_lc? # AWS-LC does not support BN::CONSTTIME. ++ assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take) ++ end + # test if shareable when frozen + assert Ractor.shareable?(@e1.freeze) + end +diff --git ruby/test/openssl/test_config.rb ruby/test/openssl/test_config.rb +index 759a5bb..c10a855 100644 +--- ruby/test/openssl/test_config.rb ++++ ruby/test/openssl/test_config.rb +@@ -43,6 +43,9 @@ __EOD__ + end + + def test_s_parse_format ++ # AWS-LC removed support for parsing $foo variables. ++ return if aws_lc? ++ + c = OpenSSL::Config.parse(<<__EOC__) + baz =qx\t # "baz = qx" + +@@ -213,13 +216,15 @@ __EOC__ + assert_raise(TypeError) do + @it.get_value(nil, 'HOME') # not allowed unlike Config#value + end +- # fallback to 'default' ugly... +- assert_equal('.', @it.get_value('unknown', 'HOME')) ++ unless aws_lc? # AWS-LC does not support the fallback ++ # fallback to 'default' ugly... ++ assert_equal('.', @it.get_value('unknown', 'HOME')) ++ end + end + + def test_get_value_ENV +- # LibreSSL removed support for NCONF_get_string(conf, "ENV", str) +- return if libressl? ++ # LibreSSL and AWS-LC removed support for NCONF_get_string(conf, "ENV", str) ++ return if libressl? || aws_lc? + + key = ENV.keys.first + assert_not_nil(key) # make sure we have at least one ENV var. +diff --git ruby/test/openssl/test_fips.rb ruby/test/openssl/test_fips.rb +index 4a3dd43..8a33cec 100644 +--- ruby/test/openssl/test_fips.rb ++++ ruby/test/openssl/test_fips.rb +@@ -28,6 +28,8 @@ class OpenSSL::TestFIPS < OpenSSL::TestCase + end + + def test_fips_mode_is_reentrant ++ return if aws_lc? # AWS-LC's FIPS mode is decided at compile time. ++ + assert_separately(["-ropenssl"], <<~"end;") + OpenSSL.fips_mode = false + OpenSSL.fips_mode = false +@@ -35,7 +37,7 @@ class OpenSSL::TestFIPS < OpenSSL::TestCase + end + + def test_fips_mode_get_with_fips_mode_set +- omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS ++ omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS and !aws_lc? # AWS-LC's FIPS mode is decided at compile time. + + assert_separately(["-ropenssl"], <<~"end;") + begin +diff --git ruby/test/openssl/test_pkcs12.rb ruby/test/openssl/test_pkcs12.rb +index 68a23b2..1b53287 100644 +--- ruby/test/openssl/test_pkcs12.rb ++++ ruby/test/openssl/test_pkcs12.rb +@@ -178,6 +178,8 @@ module OpenSSL + end + + def test_create_with_keytype ++ omit "AWS-LC does not support KEY_SIG and KEY_EX" if aws_lc? ++ + OpenSSL::PKCS12.create( + "omg", + "hello", +diff --git ruby/test/openssl/test_pkcs7.rb ruby/test/openssl/test_pkcs7.rb +index 862716b..033fdcf 100644 +--- ruby/test/openssl/test_pkcs7.rb ++++ ruby/test/openssl/test_pkcs7.rb +@@ -211,6 +211,8 @@ END + end + + def test_smime ++ pend "AWS-LC has no current support for SMIME with PKCS7" if aws_lc? ++ + store = OpenSSL::X509::Store.new + store.add_cert(@ca_cert) + ca_certs = [@ca_cert] +@@ -233,6 +235,8 @@ END + end + + def test_to_text ++ omit "AWS-LC does not support PKCS7.to_text" if aws_lc? ++ + p7 = OpenSSL::PKCS7.new + p7.type = "signed" + assert_match(/signed/, p7.to_text) +@@ -346,7 +350,12 @@ END + store = OpenSSL::X509::Store.new + pki_msg.verify(nil, store, nil, OpenSSL::PKCS7::NOVERIFY) + p7enc = OpenSSL::PKCS7.new(pki_msg.data) +- assert_equal(pki_message_content_pem, p7enc.to_pem) ++ # AWS-LC uses explicit OCTET STRING headers when encoding PKCS7 EncryptedContent, ++ # while OpenSSL traditionally uses indefinite-length encoding (ASN1_TFLG_NDEF) ++ # in its PKCS7 implementation. ++ unless aws_lc? ++ assert_equal(pki_message_content_pem, p7enc.to_pem) ++ end + end + end + +diff --git ruby/test/openssl/test_pkey_dh.rb ruby/test/openssl/test_pkey_dh.rb +index d32ffaf..67fd9cf 100644 +--- ruby/test/openssl/test_pkey_dh.rb ++++ ruby/test/openssl/test_pkey_dh.rb +@@ -19,7 +19,7 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase + end if ENV["OSSL_TEST_ALL"] + + def test_new_break_on_non_fips +- omit_on_fips ++ omit_on_fips if !aws_lc? + + assert_nil(OpenSSL::PKey::DH.new(NEW_KEYLEN) { break }) + assert_raise(RuntimeError) do +@@ -29,6 +29,7 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase + + def test_new_break_on_fips + omit_on_non_fips ++ return unless openssl? # This behavior only applies to OpenSSL. + + # The block argument is not executed in FIPS case. + # See https://github.com/ruby/openssl/issues/692 for details. +@@ -123,11 +124,22 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase + ])) + assert_equal(true, dh1.params_ok?) + +- dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([ +- OpenSSL::ASN1::Integer(dh0.p + 1), +- OpenSSL::ASN1::Integer(dh0.g) +- ])) +- assert_equal(false, dh2.params_ok?) ++ # AWS-LC automatically does parameter checks on the parsed params. ++ if aws_lc? ++ assert_raise(OpenSSL::PKey::DHError) { ++ OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([ ++ OpenSSL::ASN1::Integer(dh0.p + 1), ++ OpenSSL::ASN1::Integer(dh0.g) ++ ])) ++ } ++ else ++ dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([ ++ OpenSSL::ASN1::Integer(dh0.p + 1), ++ OpenSSL::ASN1::Integer(dh0.g) ++ ])) ++ assert_equal(false, dh2.params_ok?) ++ end ++ + end + + def test_dup +diff --git ruby/test/openssl/test_pkey_dsa.rb ruby/test/openssl/test_pkey_dsa.rb +index 3e8a83b..13951ff 100644 +--- ruby/test/openssl/test_pkey_dsa.rb ++++ ruby/test/openssl/test_pkey_dsa.rb +@@ -86,19 +86,19 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase + sig = key.syssign(digest) + assert_equal true, key.sysverify(digest, sig) + assert_equal false, key.sysverify(digest, invalid_sig) +- assert_raise(OpenSSL::PKey::DSAError) { key.sysverify(digest, malformed_sig) } ++ assert_sign_verify_false_or_error{ key.sysverify(digest, malformed_sig) } + assert_equal true, key.verify_raw(nil, sig, digest) + assert_equal false, key.verify_raw(nil, invalid_sig, digest) +- assert_raise(OpenSSL::PKey::PKeyError) { key.verify_raw(nil, malformed_sig, digest) } ++ assert_sign_verify_false_or_error { key.verify_raw(nil, malformed_sig, digest) } + + # Sign by #sign_raw + sig = key.sign_raw(nil, digest) + assert_equal true, key.sysverify(digest, sig) + assert_equal false, key.sysverify(digest, invalid_sig) +- assert_raise(OpenSSL::PKey::DSAError) { key.sysverify(digest, malformed_sig) } ++ assert_sign_verify_false_or_error { key.sysverify(digest, malformed_sig) } + assert_equal true, key.verify_raw(nil, sig, digest) + assert_equal false, key.verify_raw(nil, invalid_sig, digest) +- assert_raise(OpenSSL::PKey::PKeyError) { key.verify_raw(nil, malformed_sig, digest) } ++ assert_sign_verify_false_or_error { key.verify_raw(nil, malformed_sig, digest) } + end + + def test_DSAPrivateKey +diff --git ruby/test/openssl/test_pkey_ec.rb ruby/test/openssl/test_pkey_ec.rb +index 2cb8e28..d235692 100644 +--- ruby/test/openssl/test_pkey_ec.rb ++++ ruby/test/openssl/test_pkey_ec.rb +@@ -88,11 +88,20 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase + assert_equal(true, key2.check_key) + + # Behavior of EVP_PKEY_public_check changes between OpenSSL 1.1.1 and 3.0 +- key4 = Fixtures.pkey("p256_too_large") +- assert_raise(OpenSSL::PKey::ECError) { key4.check_key } +- +- key5 = Fixtures.pkey("p384_invalid") +- assert_raise(OpenSSL::PKey::ECError) { key5.check_key } ++ # The public key does not match the private key ++ ec_key_data = <<~EOF ++ -----BEGIN EC PRIVATE KEY----- ++ MHcCAQEEIP+TT0V8Fndsnacji9tyf6hmhHywcOWTee9XkiBeJoVloAoGCCqGSM49 ++ AwEHoUQDQgAEBkhhJIU/2/YdPSlY2I1k25xjK4trr5OXSgXvBC21PtY0HQ7lor7A ++ jzT0giJITqmcd81fwGw5+96zLcdxTF1hVQ== ++ -----END EC PRIVATE KEY----- ++ EOF ++ if aws_lc? # AWS-LC automatically does key checks on the parsed key. ++ assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.read(ec_key_data) } ++ else ++ key4 = OpenSSL::PKey.read(ec_key_data) ++ assert_raise(OpenSSL::PKey::ECError) { key4.check_key } ++ end + + # EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0 + if !openssl?(3, 0, 0) +@@ -143,19 +152,19 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase + sig = key.dsa_sign_asn1(data1) + assert_equal true, key.dsa_verify_asn1(data1, sig) + assert_equal false, key.dsa_verify_asn1(data2, sig) +- assert_raise(OpenSSL::PKey::ECError) { key.dsa_verify_asn1(data1, malformed_sig) } ++ assert_sign_verify_false_or_error { key.dsa_verify_asn1(data1, malformed_sig) } + assert_equal true, key.verify_raw(nil, sig, data1) + assert_equal false, key.verify_raw(nil, sig, data2) +- assert_raise(OpenSSL::PKey::PKeyError) { key.verify_raw(nil, malformed_sig, data1) } ++ assert_sign_verify_false_or_error { key.verify_raw(nil, malformed_sig, data1) } + + # Sign by #sign_raw + sig = key.sign_raw(nil, data1) + assert_equal true, key.dsa_verify_asn1(data1, sig) + assert_equal false, key.dsa_verify_asn1(data2, sig) +- assert_raise(OpenSSL::PKey::ECError) { key.dsa_verify_asn1(data1, malformed_sig) } ++ assert_sign_verify_false_or_error { key.dsa_verify_asn1(data1, malformed_sig) } + assert_equal true, key.verify_raw(nil, sig, data1) + assert_equal false, key.verify_raw(nil, sig, data2) +- assert_raise(OpenSSL::PKey::PKeyError) { key.verify_raw(nil, malformed_sig, data1) } ++ assert_sign_verify_false_or_error{ key.verify_raw(nil, malformed_sig, data1) } + end + + def test_dsa_sign_asn1_FIPS186_3 +@@ -300,7 +309,10 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase + assert_equal group1.to_der, group2.to_der + assert_equal group1, group2 + group2.asn1_flag ^=OpenSSL::PKey::EC::NAMED_CURVE +- assert_not_equal group1.to_der, group2.to_der ++ # AWS-LC does not support serializing explicit curves. ++ unless aws_lc? ++ assert_not_equal group1.to_der, group2.to_der ++ end + assert_equal group1, group2 + + group3 = group1.dup +diff --git ruby/test/openssl/test_pkey_rsa.rb ruby/test/openssl/test_pkey_rsa.rb +index 02693c2..e1a0df1 100644 +--- ruby/test/openssl/test_pkey_rsa.rb ++++ ruby/test/openssl/test_pkey_rsa.rb +@@ -542,37 +542,38 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase + assert_match (/BEGIN ENCRYPTED PRIVATE KEY/), encoded.lines[0] + assert_same_rsa rsa, OpenSSL::PKey.read(encoded, "abcdef") + +- # certtool --load-privkey=test/openssl/fixtures/pkey/rsa2048.pem --to-p8 --password=abcdef ++ # Use openssl instead of certtool due to https://gitlab.com/gnutls/gnutls/-/issues/1632 ++ # openssl pkcs8 -in test/openssl/fixtures/pkey/rsa2048.pem -topk8 -v2 aes-128-cbc -passout pass:abcdef + pem = <<~EOF + -----BEGIN ENCRYPTED PRIVATE KEY----- +- MIIFOTBjBgkqhkiG9w0BBQ0wVjA1BgkqhkiG9w0BBQwwKAQSsTIsinrhNMr4owUz +- cwYGgB0lAgMJJ8ACARAwCgYIKoZIhvcNAgkwHQYJYIZIAWUDBAECBBDtDYqmQOLV +- Nh0T0DslWgovBIIE0ESbJey2Pjf9brTp9/41CPnI9Ev78CGSv8Ihyuynu6G7oj7N +- G7jUB1pVMQ7ivebF5DmM0qHAix6fDqJetB3WCnRQpMLyIdq5VrnKwFNhwGYduWA5 +- IyaAc4DHj02e6YLyBTIKpu79OSFxLrnLCRaTbvZIUQaGhyd6pB7iAhqz5YBC0rpa +- iMK5TRlNGPYG9n2eGFOhvUsbJ4T8VDzjpVWw0VNRaukXtg4xiR6o1f0qSXqAb5d9 +- REq5DfaQfoOKTV9j7KJHDRrBQG81vkU4K+xILrCBfbcYb82aCoinwSep9LC30HaH +- LZ0hYQOuD/k/UbgjToS2wyMnkz75MN5ZNhDMZl/mACQdsMMtIxG37Mpo1Ca33uZi +- 71TCOEKIblZS11L1YhIni9Af8pOuHJBWwezP2zN2nPwV6OhgL7Jlax7ICQOPC6L/ +- yRGgC5eT4lDDAuTy0IdUhr0r5XrFzZR0/5Vgsq9cGfk9QkXOoETRhQVkEfUDdCs6 +- 6CK+SwUR9qh5824ShODFG0SQpsqBPIVtkGrypBSUJtICmGMOAsclB7RDN7/opJwp +- qv/iRJ5dhWrhRgQ/DfYifvO5On7RgC2hm48gF3Pt6XCA857ryyYxLYeMY42tAUqp +- Hmc9HL7bMYF/jl3cJ32+gLvI3PBVvrvyeAhRo6z7MFVe9I04OywV6BHUx1Us6ybF +- qkYnSpcJZdu7HyvzXm7XWLFmt7K5BlAgnFsa/8+cI1BGPgQRc1j0SWepXsSwFZX6 +- JkNQ0dewq4uRJXbGyQgfh5I5ETpqDhSt2JfBwAoze6cx3DPC711PUamxyWMiejs+ +- mYdia4p62NxaUvyXWmCGIEOzajRwywEhf9OLAmfqTN41TIrEL4BUxqtzDyw8Nl8T +- KB7nJEC366jFASfumNQkXXyH5yBIF+XwwSKUOObRZVn2rUzFToo51hHu9efxHoXa +- jZlpfglWijkmOuwoIGlGHOq8gUn76oq9WbV+YO+fWm/mf4S3ECzmYzxb6a1uCTy/ +- Itkm2qOe3yTM1t+oCqZ0/MeTZ84ALQaWv5reQfjronPZ1jeNtxrYz28tJ4KwBn0U +- bJReXbOLsHAymipncxlmaevbx4GPTduu/lbpxefoN95w+SpEdyTmVWrfaCTgAbad +- EzcRl60my3xOMQ7CaUbRgGiwohqHDvuXzeqoZ96u6CwfAoEfy4jETmKLRH6uTtj7 +- 4jdTyoqyizjpvaM8LPspBS+oqFwLxBjpseQuScrZO1BjPxrImLy2/VRqwJ+CF4FB +- iijEgDgDc1EMIGe5YmOAV+i22n9RqX+2IvkYp7CWXrB9/lmirLFukd7hT8DLPUGq +- AvSZwTPbDPoZKG3DAebC3DbiC7A3x0KZp24doNRLamZ/MyKHo2Rzl0UhkzDU0ly2 +- eAnyNYsOAQck+C6L+ieD95Gksm9YJWurwttm5JragbIJwMCrsBQd4bXDkKdRhxS2 +- JpS0dT/aoDmgTzoG07x4cZk0rjBkfX1ta0j0b1lz7/PZXl9AbRvFdq5sJpmv4Ryz +- S+OERqo4IEfJJq2WJ92WR+HLGV3Gvsdb7znZTEF1tp4pWOLAt83Pry282UJxO7Pe +- ySf/868TEmXams06GYvH+7cMiIT2m9Dc+EFgNaPmm0uMmJ+ZjqHKSOLzrL7C ++ MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIay5V8CDQi5oCAggA ++ MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAECBBB6eyagcbsvdQlM1kPcH7kiBIIE ++ 0Ng1apIyoPAZ4BfC4kMNeSmeAv3XspxqYi3uWzXiNyTcoE6390swrwM6WvdpXvLI ++ /n/V06krxPZ9X4fBG2kLUzXt5f09lEvmQU1HW1wJGU5Sq3bNeXBrlJF4DzJE4WWd ++ whVVvNMm44ghdzN/jGSw3z+6d717N+waa7vrpBDsHjhsPNwxpyzUvcFPFysTazxx ++ kN/dziIBF6SRKi6w8VaJEMQ8czGu5T3jOc2e/1p3/AYhHLPS4NHhLR5OUh0TKqLK ++ tANAqI9YqCAjhqcYCmN3mMQXY52VfOqG9hlX1x9ZQyqiH7l102EWbPqouk6bCBLQ ++ wHepPg4uK99Wsdh65qEryNnXQ5ZmO6aGb6T3TFENCaNKmi8Nh+/5dr7J7YfhIwpo ++ FqHvk0hrZ8r3EQlr8/td0Yb1/IKzeQ34638uXf9UxK7C6o+ilsmJDR4PHJUfZL23 ++ Yb9qWJ0GEzd5AMsI7x6KuUxSuH9nKniv5Tzyty3Xmb4FwXUyADWE19cVuaT+HrFz ++ GraKnA3UXbEgWAU48/l4K2HcAHyHDD2Kbp8k+o1zUkH0fWUdfE6OUGtx19Fv44Jh ++ B7xDngK8K48C6nrj06/DSYfXlb2X7WQiapeG4jt6U57tLH2XAjHCkvu0IBZ+//+P ++ yIWduEHQ3w8FBRcIsTNJo5CjkGk580TVQB/OBLWfX48Ay3oF9zgnomDIlVjl9D0n ++ lKxw/KMCLkvB78rUeGbr1Kwj36FhGpTBw3FgcYGa5oWFZTlcOgMTXLqlbb9JnDlA ++ Zs7Tu0WTyOTV/Dne9nEm39Dzu6wRojiIpmygTD4FI7rmOy3CYNvL3XPv7XQj0hny ++ Ee/fLxugYlQnwPZSqOVEQY2HsG7AmEHRsvy4bIWIGt+yzAPZixt9MUdJh91ttRt7 ++ QA/8J1pAsGqEuQpF6UUINZop3J7twfhO4zWYN/NNQ52eWNX2KLfjfGRhrvatzmZ0 ++ BuCsCI9hwEeE6PTlhbX1Rs177MrDc3vlqz2V3Po0OrFjXAyg9DR/OC4iK5wOG2ZD ++ 7StVSP8bzwQXsz3fJ0ardKXgnU2YDAP6Vykjgt+nFI09HV/S2faOc2g/UK4Y2khl ++ J93u/GHMz/Kr3bKWGY1/6nPdIdFheQjsiNhd5gI4tWik2B3QwU9mETToZ2LSvDHU ++ jYCys576xJLkdMM6nJdq72z4tCoES9IxyHVs4uLjHKIo/ZtKr+8xDo8IL4ax3U8+ ++ NMhs/lwReHmPGahm1fu9zLRbNCVL7e0zrOqbjvKcSEftObpV/LLcPYXtEm+lZcck ++ /PMw49HSE364anKEXCH1cyVWJwdZRpFUHvRpLIrpHru7/cthhiEMdLgK1/x8sLob ++ DiyieLxH1DPeXT4X+z94ER4IuPVOcV5AXc/omghispEX6DNUnn5jC4e3WyabjUbw ++ MuO9lVH9Wi2/ynExCqVmQkdbTXuLwjni1fJ27Q5zb0aCmhO8eq6P869NCjhJuiUj ++ NI9XtGLP50YVWE0kL8KEJqnyFudky8Khzk4/dyixQFqin5GfT4vetrLunGHy7lRB ++ 3LpnFrpMOr+0xr1RW1k9vlmjRsJSiojJfReYO7gH3B5swiww2azogoL+4jhF1Jxh ++ OYLWdkKhP2jSVGqtIDtny0O4lBm2+hLpWjiI0mJQ7wdA + -----END ENCRYPTED PRIVATE KEY----- + EOF + assert_same_rsa rsa, OpenSSL::PKey.read(pem, "abcdef") +diff --git ruby/test/openssl/test_ssl.rb ruby/test/openssl/test_ssl.rb +index 459efcc..1942cd3 100644 +--- ruby/test/openssl/test_ssl.rb ++++ ruby/test/openssl/test_ssl.rb +@@ -39,7 +39,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + end + + def test_ctx_options_config +- omit "LibreSSL does not support OPENSSL_CONF" if libressl? ++ omit "LibreSSL and AWS-LC do not support OPENSSL_CONF" if libressl? || aws_lc? + omit "OpenSSL < 1.1.1 does not support system_default" if openssl? && !openssl?(1, 1, 1) + + Tempfile.create("openssl.cnf") { |f| +@@ -505,7 +505,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ssl.sync_close = true + begin + assert_raise(OpenSSL::SSL::SSLError){ ssl.connect } +- assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result) ++ assert_includes [OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY], ssl.verify_result + ensure + ssl.close + end +@@ -642,6 +642,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + end + + def test_post_connect_check_with_anon_ciphers ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + ctx_proc = -> ctx { + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "aNULL" +@@ -1167,7 +1169,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ctx.set_params + # OpenSSL <= 1.1.0: "self signed certificate in certificate chain" + # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain" +- assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) { ++ # AWS-LC: "CERTIFICATE_VERIFY_FAILED (unable to get local issuer certificate)" ++ assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed|CERTIFICATE_VERIFY_FAILED/) { + server_connect(port, ctx) + } + } +@@ -1615,20 +1618,22 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + end + end + +- # DHE +- # TODO: How to test this with TLS 1.3? +- ctx_proc2 = proc { |ctx| +- ctx.ssl_version = :TLSv1_2 +- ctx.ciphers = "EDH" +- ctx.tmp_dh = Fixtures.pkey("dh-1") +- } +- start_server(ctx_proc: ctx_proc2) do |port| +- ctx = OpenSSL::SSL::SSLContext.new +- ctx.ssl_version = :TLSv1_2 +- ctx.ciphers = "EDH" +- server_connect(port, ctx) { |ssl| +- assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key ++ if !aws_lc? # AWS-LC does not support DHE ciphersuites. ++ # DHE ++ # TODO: SSL_CTX_set1_groups() is required for testing this with TLS 1.3 ++ ctx_proc2 = proc { |ctx| ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION ++ ctx.ciphers = "EDH" ++ ctx.tmp_dh = Fixtures.pkey("dh-1") + } ++ start_server(ctx_proc: ctx_proc2) do |port| ++ ctx = OpenSSL::SSL::SSLContext.new ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION ++ ctx.ciphers = "EDH" ++ server_connect(port, ctx) { |ssl| ++ assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key ++ } ++ end + end + + # ECDHE +@@ -1692,12 +1697,13 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ctx2.enable_fallback_scsv + ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) ++ # AWS-LC has slightly different error messages in all-caps. + t = Thread.new { +- assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { ++ assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { + s2.connect + } + } +- assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { ++ assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { + s1.accept + } + t.join +@@ -1708,6 +1714,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + end + + def test_tmp_dh_callback ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + dh = Fixtures.pkey("dh-1") + called = false + ctx_proc = -> ctx { +@@ -1773,9 +1781,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + ssl_ctx = OpenSSL::SSL::SSLContext.new + pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=) + ++ # AWS-LC has slightly different error messages in all-caps. + assert_raise_with_message( + OpenSSL::SSL::SSLError, +- /SSL_CTX_set_ciphersuites: no cipher match/i ++ /SSL_CTX_set_ciphersuites: (no cipher match|NO_CIPHER_MATCH)/i + ) { ssl_ctx.ciphersuites = 'BOGUS' } + end + +@@ -1817,13 +1826,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + + ssl_ctx = OpenSSL::SSL::SSLContext.new + ++ # AWS-LC has slightly different error messages in all-caps. + assert_raise_with_message( + OpenSSL::SSL::SSLError, +- /SSL_CTX_set_cipher_list: no cipher match/i ++ /SSL_CTX_set_cipher_list: (no cipher match|NO_CIPHER_MATCH)/i + ) { ssl_ctx.ciphers = 'BOGUS' } + end + + def test_connect_works_when_setting_dh_callback_to_nil ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + ctx_proc = -> ctx { + ctx.max_version = :TLS1_2 + ctx.ciphers = "DH:!NULL" # use DH +@@ -1839,6 +1851,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase + end + + def test_tmp_dh ++ omit "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + dh = Fixtures.pkey("dh-1") + ctx_proc = -> ctx { + ctx.max_version = :TLS1_2 +diff --git ruby/test/openssl/test_ssl_session.rb ruby/test/openssl/test_ssl_session.rb +index 25ba6a8..faed251 100644 +--- ruby/test/openssl/test_ssl_session.rb ++++ ruby/test/openssl/test_ssl_session.rb +@@ -28,9 +28,10 @@ class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase + end + end + ++ # PEM file updated to use TLS 1.2 with ECDHE-RSA-AES256-SHA. + DUMMY_SESSION = <<__EOS__ + -----BEGIN SSL SESSION PARAMETERS----- +-MIIDzQIBAQICAwEEAgA5BCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad ++MIIDzQIBAQICAwMEAsAUBCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad + MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy + NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB + BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5 +@@ -54,9 +55,10 @@ j+RBGfCFrrQbBdnkFI/ztgM= + -----END SSL SESSION PARAMETERS----- + __EOS__ + ++ # PEM file updated to use TLS 1.1 with ECDHE-RSA-AES256-SHA. + DUMMY_SESSION_NO_EXT = <<-__EOS__ + -----BEGIN SSL SESSION PARAMETERS----- +-MIIDCAIBAQICAwAEAgA5BCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+ ++MIIDCAIBAQICAwIEAsAUBCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+ + lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53 + hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B + AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi +@@ -120,7 +122,8 @@ __EOS__ + ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET + # Disable server-side session cache which is enabled by default + ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF +- ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) ++ # Session tickets must be retrieved via ctx.session_new_cb in TLS 1.3 in AWS-LC. ++ ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) || aws_lc? + } + start_server(ctx_proc: ctx_proc) do |port| + sess1 = server_connect_with_session(port, nil, nil) { |ssl| +@@ -237,14 +240,18 @@ __EOS__ + end + + server_connect_with_session(port, ctx, nil) { |ssl| +- assert_equal(1, ctx.session_cache_stats[:cache_num]) + assert_equal(1, ctx.session_cache_stats[:connect_good]) + assert_equal([ssl, ssl.session], called[:new]) +- assert_equal(true, ctx.session_remove(ssl.session)) +- assert_equal(false, ctx.session_remove(ssl.session)) +- if TEST_SESSION_REMOVE_CB +- assert_equal([ctx, ssl.session], called[:remove]) ++ # AWS-LC doesn't support internal session caching on the client, but ++ # the callback is still enabled as expected. ++ unless aws_lc? ++ assert_equal(1, ctx.session_cache_stats[:cache_num]) ++ assert_equal(true, ctx.session_remove(ssl.session)) ++ if TEST_SESSION_REMOVE_CB ++ assert_equal([ctx, ssl.session], called[:remove]) ++ end + end ++ assert_equal(false, ctx.session_remove(ssl.session)) + } + end + end +@@ -252,6 +259,7 @@ __EOS__ + def test_ctx_client_session_cb_tls13 + omit "TLS 1.3 not supported" unless tls13_supported? + omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl? ++ omit "AWS-LC does not support internal session caching on the client" if aws_lc? + + start_server do |port| + called = {} +diff --git ruby/test/openssl/test_x509store.rb ruby/test/openssl/test_x509store.rb +index d6c0e70..dad4036 100644 +--- ruby/test/openssl/test_x509store.rb ++++ ruby/test/openssl/test_x509store.rb +@@ -331,7 +331,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase + def test_add_cert_duplicate + # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error + # if the given certificate is already in the X509_STORE +- return if openssl?(1, 1, 0) || libressl? ++ return if openssl?(1, 1, 0) || libressl? || aws_lc? + ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") + ca1_key = Fixtures.pkey("rsa-1") + ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil) +diff --git ruby/test/openssl/utils.rb ruby/test/openssl/utils.rb +index f6c84ee..c2b9195 100644 +--- ruby/test/openssl/utils.rb ++++ ruby/test/openssl/utils.rb +@@ -107,7 +107,7 @@ module OpenSSL::TestUtils + end + + def openssl?(major = nil, minor = nil, fix = nil, patch = 0, status = 0) +- return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") ++ return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") || OpenSSL::OPENSSL_VERSION.include?("AWS-LC") + return true unless major + OpenSSL::OPENSSL_VERSION_NUMBER >= + major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 + +@@ -119,6 +119,10 @@ module OpenSSL::TestUtils + return false unless version + !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 + end ++ ++ def aws_lc? ++ OpenSSL::OPENSSL_VERSION.include?("AWS-LC") ++ end + end + + class OpenSSL::TestCase < Test::Unit::TestCase +@@ -299,6 +303,14 @@ class OpenSSL::PKeyTestCase < OpenSSL::TestCase + assert_equal base.send(comp), test.send(comp) + } + end ++ ++ def assert_sign_verify_false_or_error ++ ret = yield ++ rescue => e ++ assert_kind_of(OpenSSL::PKey::PKeyError, e) ++ else ++ assert_equal(false, ret) ++ end + end + + module OpenSSL::Certs \ No newline at end of file diff --git a/tests/ci/integration/run_ruby_integration.sh b/tests/ci/integration/run_ruby_integration.sh index 18394aceb7..8f5b0faa49 100755 --- a/tests/ci/integration/run_ruby_integration.sh +++ b/tests/ci/integration/run_ruby_integration.sh @@ -71,7 +71,7 @@ function ruby_patch() { --branch ${branch} # Add directory of backport patches if branch is not master. - if [[ "${branch}" != "master" ]]; then + if [[ "${branch}" != "master" && "${branch}" != "ruby_3_4" ]]; then patch_dirs+=("${RUBY_BACKPORT_FOLDER}") fi From 28c2217374f70c5d5940569ce50520b09fefe062 Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Tue, 18 Mar 2025 13:40:01 -0700 Subject: [PATCH 2/5] Update run_ruby_integration.sh --- tests/ci/integration/run_ruby_integration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ci/integration/run_ruby_integration.sh b/tests/ci/integration/run_ruby_integration.sh index 8f5b0faa49..d2a28208c7 100755 --- a/tests/ci/integration/run_ruby_integration.sh +++ b/tests/ci/integration/run_ruby_integration.sh @@ -51,7 +51,7 @@ function ruby_build() { make test-all TESTS="test/rubygems/test*.rb" # drb was moved from a default gem to a bundled gem in later versions of Ruby. - if [[ "${branch}" != "master" ]]; then + if [[ "${branch}" != "master" && "${branch}" != "ruby_3_4" ]]; then make test-all TESTS="test/drb/*ssl*.rb" fi From 894357f02d48bf6cb7d07d151c7325ebb1cfe07e Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Wed, 19 Mar 2025 01:28:51 +0000 Subject: [PATCH 3/5] Update patch file to account for ber --- .../ruby_3_2/aws-lc-ruby-temp.patch | 21 +++++-------- .../ruby_3_3/aws-lc-ruby-temp.patch | 21 +++++-------- .../ruby_patch/ruby_3_4/aws-lc-ruby.patch | 31 ++++++++----------- tests/ci/integration/run_ruby_integration.sh | 2 +- 4 files changed, 30 insertions(+), 45 deletions(-) diff --git a/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch index ba808c112f..ffb6e37d52 100644 --- a/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch +++ b/tests/ci/integration/ruby_patch/ruby_3_2/aws-lc-ruby-temp.patch @@ -209,7 +209,7 @@ index ec67674..be21f47 100644 ) diff --git ruby/test/openssl/test_pkcs7.rb ruby/test/openssl/test_pkcs7.rb -index ba8b93d..f721ca8 100644 +index ba8b93d..358d61b 100644 --- ruby/test/openssl/test_pkcs7.rb +++ ruby/test/openssl/test_pkcs7.rb @@ -191,6 +191,8 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase @@ -230,20 +230,15 @@ index ba8b93d..f721ca8 100644 ca_cert_pem = < Date: Wed, 19 Mar 2025 21:37:05 +0000 Subject: [PATCH 4/5] Update FIPS ruby --- tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml index 2dd7dd1a07..834c50d698 100644 --- a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml +++ b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml @@ -491,5 +491,5 @@ batch: compute-type: BUILD_GENERAL1_MEDIUM image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_integration_latest variables: - AWS_LC_CI_TARGET: "tests/ci/integration/run_ruby_integration.sh ruby_3_3 ruby_3_2 ruby_3_1" + AWS_LC_CI_TARGET: "tests/ci/integration/run_ruby_integration.sh ruby_3_4 ruby_3_3 ruby_3_2" FIPS: 1 \ No newline at end of file From 46d561cb0c774d9f53573fc88dc0d7a701a2dd53 Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Thu, 20 Mar 2025 18:45:02 -0700 Subject: [PATCH 5/5] Update comments --- tests/ci/integration/run_ruby_integration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ci/integration/run_ruby_integration.sh b/tests/ci/integration/run_ruby_integration.sh index 179433010b..99d0d15883 100755 --- a/tests/ci/integration/run_ruby_integration.sh +++ b/tests/ci/integration/run_ruby_integration.sh @@ -70,7 +70,7 @@ function ruby_patch() { --depth 1 \ --branch ${branch} - # Add directory of backport patches if branch is not master. + # Add directory of backport patches if branch is a version later than Ruby 3.4. if [[ "${branch}" != "master" && "${branch}" != "ruby_3_4" ]]; then patch_dirs+=("${RUBY_BACKPORT_FOLDER}") fi