improve patch for libssl tests

samuel40791765 · Oct 30, 2024 · a1f9864 · a1f9864
1 parent 8604c43
commit a1f9864
Showing 1 changed file with 150 additions and 0 deletions.
diff --git a/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch
@@ -99,3 +99,153 @@ index 06d59c2..f248a96 100644
          rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \
                   "supported by this OpenSSL version");
  #else
+diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
+index 9a0682a..c289055 100644
+--- a/ext/openssl/ossl_ssl.c
++++ b/ext/openssl/ossl_ssl.c
+@@ -1139,7 +1139,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value)
+     rb_check_frozen(self);
+     GetSSLCTX(self, ctx);
+
+-#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL)
++#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) && !defined(OPENSSL_IS_AWSLC)
+     SSL_CTX_set_security_level(ctx, NUM2INT(value));
+ #else
+     (void)ctx;
+diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
+index 39964bf..aef3e61 100644
+--- a/test/openssl/test_ssl.rb
++++ b/test/openssl/test_ssl.rb
+@@ -420,7 +420,7 @@ def test_verify_result
+       ssl.sync_close = true
+       begin
+         assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
+-        assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
++        assert_includes(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN..OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, ssl.verify_result)
+       ensure
+         ssl.close
+       end
+@@ -523,6 +523,8 @@ def test_sslctx_set_params
+   end
+
+   def test_post_connect_check_with_anon_ciphers
++    pend "AWS-LC does not support DHE ciphersuites" if aws_lc?
++
+     ctx_proc = -> ctx {
+       ctx.ssl_version = :TLSv1_2
+       ctx.ciphers = "aNULL"
+@@ -1000,7 +1002,7 @@ def test_connect_certificate_verify_failed_exception_message
+       ctx.set_params
+       # OpenSSL <= 1.1.0: "self signed certificate in certificate chain"
+       # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain"
+-      assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) {
++      assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed|CERTIFICATE_VERIFY_FAILED/) {
+         server_connect(port, ctx)
+       }
+     }
+@@ -1458,21 +1460,23 @@ def test_get_ephemeral_key
+       end
+     end
+
+-    # DHE
+-    # TODO: How to test this with TLS 1.3?
+-    ctx_proc2 = proc { |ctx|
+-      ctx.ssl_version = :TLSv1_2
+-      ctx.ciphers = "EDH"
+-      ctx.tmp_dh = Fixtures.pkey("dh-1")
+-    }
+-    start_server(ctx_proc: ctx_proc2) do |port|
+-      ctx = OpenSSL::SSL::SSLContext.new
+-      ctx.ssl_version = :TLSv1_2
+-      ctx.ciphers = "EDH"
+-      server_connect(port, ctx) { |ssl|
+-        assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key
+-      }
+-    end
++    if not aws_lc?
++	  # DHE
++	  # TODO: How to test this with TLS 1.3?
++	  ctx_proc2 = proc { |ctx|
++	    ctx.ssl_version = :TLSv1_2
++		ctx.ciphers = "EDH"
++	    ctx.tmp_dh = Fixtures.pkey("dh-1")
++	  }
++	  start_server(ctx_proc: ctx_proc2) do |port|
++	    ctx = OpenSSL::SSL::SSLContext.new
++	    ctx.ssl_version = :TLSv1_2
++	    ctx.ciphers = "EDH"
++	    server_connect(port, ctx) { |ssl|
++	      assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key
++	    }
++	  end
++	end
+
+     # ECDHE
+     ctx_proc3 = proc { |ctx|
+@@ -1536,11 +1540,11 @@ def test_fallback_scsv
+       ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION
+       s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
+       t = Thread.new {
+-        assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) {
++        assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) {
+           s2.connect
+         }
+       }
+-      assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) {
++      assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) {
+         s1.accept
+       }
+       t.join
+@@ -1551,6 +1555,8 @@ def test_fallback_scsv
+   end
+
+   def test_tmp_dh_callback
++    pend "AWS-LC does not support DHE ciphersuites" if aws_lc?
++
+     dh = Fixtures.pkey("dh-1")
+     called = false
+     ctx_proc = -> ctx {
+@@ -1570,6 +1576,8 @@ def test_tmp_dh_callback
+   end
+
+   def test_connect_works_when_setting_dh_callback_to_nil
++    pend "AWS-LC does not support DHE ciphersuites" if aws_lc?
++    
+     ctx_proc = -> ctx {
+       ctx.max_version = :TLS1_2
+       ctx.ciphers = "DH:!NULL" # use DH
+@@ -1585,6 +1593,8 @@ def test_connect_works_when_setting_dh_callback_to_nil
+   end
+
+   def test_tmp_dh
++    pend "AWS-LC does not support DHE ciphersuites" if aws_lc?
++
+     dh = Fixtures.pkey("dh-1")
+     ctx_proc = -> ctx {
+       ctx.max_version = :TLS1_2
+diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
+index 4ebcb98..2afb15d 100644
+--- a/test/openssl/utils.rb
++++ b/test/openssl/utils.rb
+@@ -132,7 +132,7 @@ def get_subject_key_id(cert, hex: true)
+   end
+
+   def openssl?(major = nil, minor = nil, fix = nil, patch = 0)
+-    return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL")
++    return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") || OpenSSL::OPENSSL_VERSION.include?("AWS-LC")
+     return true unless major
+     OpenSSL::OPENSSL_VERSION_NUMBER >=
+       major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10
+@@ -143,6 +143,12 @@ def libressl?(major = nil, minor = nil, fix = nil)
+     return false unless version
+     !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0
+   end
++
++  def aws_lc?(major = nil, minor = nil, fix = nil)
++    version = OpenSSL::OPENSSL_VERSION.scan(/AWS-LC (\d+)\.(\d+)\.(\d+).*/)[0]
++    return false unless version
++    !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0
++  end
+ end
+
+ class OpenSSL::TestCase < Test::Unit::TestCase