diff --git a/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch index f7578f96b63..f76cf21203c 100644 --- a/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch +++ b/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch @@ -99,3 +99,153 @@ index 06d59c2..f248a96 100644 rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ "supported by this OpenSSL version"); #else +diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c +index 9a0682a..c289055 100644 +--- a/ext/openssl/ossl_ssl.c ++++ b/ext/openssl/ossl_ssl.c +@@ -1139,7 +1139,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) + rb_check_frozen(self); + GetSSLCTX(self, ctx); + +-#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) ++#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) && !defined(OPENSSL_IS_AWSLC) + SSL_CTX_set_security_level(ctx, NUM2INT(value)); + #else + (void)ctx; +diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb +index 39964bf..aef3e61 100644 +--- a/test/openssl/test_ssl.rb ++++ b/test/openssl/test_ssl.rb +@@ -420,7 +420,7 @@ def test_verify_result + ssl.sync_close = true + begin + assert_raise(OpenSSL::SSL::SSLError){ ssl.connect } +- assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result) ++ assert_includes(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN..OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, ssl.verify_result) + ensure + ssl.close + end +@@ -523,6 +523,8 @@ def test_sslctx_set_params + end + + def test_post_connect_check_with_anon_ciphers ++ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + ctx_proc = -> ctx { + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "aNULL" +@@ -1000,7 +1002,7 @@ def test_connect_certificate_verify_failed_exception_message + ctx.set_params + # OpenSSL <= 1.1.0: "self signed certificate in certificate chain" + # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain" +- assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) { ++ assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed|CERTIFICATE_VERIFY_FAILED/) { + server_connect(port, ctx) + } + } +@@ -1458,21 +1460,23 @@ def test_get_ephemeral_key + end + end + +- # DHE +- # TODO: How to test this with TLS 1.3? +- ctx_proc2 = proc { |ctx| +- ctx.ssl_version = :TLSv1_2 +- ctx.ciphers = "EDH" +- ctx.tmp_dh = Fixtures.pkey("dh-1") +- } +- start_server(ctx_proc: ctx_proc2) do |port| +- ctx = OpenSSL::SSL::SSLContext.new +- ctx.ssl_version = :TLSv1_2 +- ctx.ciphers = "EDH" +- server_connect(port, ctx) { |ssl| +- assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key +- } +- end ++ if not aws_lc? ++ # DHE ++ # TODO: How to test this with TLS 1.3? ++ ctx_proc2 = proc { |ctx| ++ ctx.ssl_version = :TLSv1_2 ++ ctx.ciphers = "EDH" ++ ctx.tmp_dh = Fixtures.pkey("dh-1") ++ } ++ start_server(ctx_proc: ctx_proc2) do |port| ++ ctx = OpenSSL::SSL::SSLContext.new ++ ctx.ssl_version = :TLSv1_2 ++ ctx.ciphers = "EDH" ++ server_connect(port, ctx) { |ssl| ++ assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key ++ } ++ end ++ end + + # ECDHE + ctx_proc3 = proc { |ctx| +@@ -1536,11 +1540,11 @@ def test_fallback_scsv + ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + t = Thread.new { +- assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { ++ assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { + s2.connect + } + } +- assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) { ++ assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) { + s1.accept + } + t.join +@@ -1551,6 +1555,8 @@ def test_fallback_scsv + end + + def test_tmp_dh_callback ++ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + dh = Fixtures.pkey("dh-1") + called = false + ctx_proc = -> ctx { +@@ -1570,6 +1576,8 @@ def test_tmp_dh_callback + end + + def test_connect_works_when_setting_dh_callback_to_nil ++ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + ctx_proc = -> ctx { + ctx.max_version = :TLS1_2 + ctx.ciphers = "DH:!NULL" # use DH +@@ -1585,6 +1593,8 @@ def test_connect_works_when_setting_dh_callback_to_nil + end + + def test_tmp_dh ++ pend "AWS-LC does not support DHE ciphersuites" if aws_lc? ++ + dh = Fixtures.pkey("dh-1") + ctx_proc = -> ctx { + ctx.max_version = :TLS1_2 +diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb +index 4ebcb98..2afb15d 100644 +--- a/test/openssl/utils.rb ++++ b/test/openssl/utils.rb +@@ -132,7 +132,7 @@ def get_subject_key_id(cert, hex: true) + end + + def openssl?(major = nil, minor = nil, fix = nil, patch = 0) +- return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") ++ return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") || OpenSSL::OPENSSL_VERSION.include?("AWS-LC") + return true unless major + OpenSSL::OPENSSL_VERSION_NUMBER >= + major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 +@@ -143,6 +143,12 @@ def libressl?(major = nil, minor = nil, fix = nil) + return false unless version + !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 + end ++ ++ def aws_lc?(major = nil, minor = nil, fix = nil) ++ version = OpenSSL::OPENSSL_VERSION.scan(/AWS-LC (\d+)\.(\d+)\.(\d+).*/)[0] ++ return false unless version ++ !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 ++ end + end + + class OpenSSL::TestCase < Test::Unit::TestCase