[ruby/openssl] Add build support for AWS-LC

CI Changes 1. I've split the original patch up to make it easier to digest, but that forces my hand to turn off testing in the AWS-LC CI for the time being. However, do let me know if you would prefer to review the test adjustments in the same PR and I can remove the temporary CI workaround. 2. AWS-LC has a few no-op functions and we use -Wdeprecated-declarations to alert the consuming application of these. I've leveraged the skip-warnings CI option so that the build doesn't fail. Build Adjustments 1. AWS-LC FIPS mode is decided at compile time. This is different from OpenSSL's togglable FIPS switch, so I've adjusted the build to account for this. 2. AWS-LC does not support for the two KEY_SIG or KEY_EX flags that were only ever supported by old MSIE. 3. AWS-LC has no current support for post handshake authentication in TLS 1.3. 4. EC_GROUP structures for named curves in AWS-LC are constant, static, and immutable by default. This means that the EC_GROUP_set_* functions are essentially no-ops due to the immutability of the structure. We've introduced a new API for consumers that depend on the OpenSSL's default mutability of the EC_GROUP structure called EC_GROUP_new_by_curve_name_mutable. Since Ruby has a bit of functionality that's dependent on the mutability of these structures, I've made the corresponding adjustments to allow things to work as expected. https://github.com/ruby/openssl/commit/e53ec5a101
author: Samuel Chiang <sachiang@amazon.com> 2025-01-24 02:16:14 +0000
committer: git <svn-admin@ruby-lang.org> 2025-02-11 15:35:03 +0000
commit: 06faf28558c2f1925f37dd78ff61ba1bef6e894e (patch)
tree: 02e182829860f8be439fc1a62303fc8577cbeb50 /ext
parent: e603a420e9fb085c37f16f0a32628ecf6232f507 (diff)
4 files changed, 19 insertions, 4 deletions
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index 3bdb18e10e..27d7f9cfdf 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -404,7 +404,7 @@ ossl_fips_mode_get(VALUE self)
     VALUE enabled;
     enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
     return enabled;
-#elif defined(OPENSSL_FIPS)
+#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
     VALUE enabled;
     enabled = FIPS_mode() ? Qtrue : Qfalse;
     return enabled;
@@ -439,7 +439,7 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
         }
     }
     return enabled;
-#elif defined(OPENSSL_FIPS)
+#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
     if (RTEST(enabled)) {
 	int mode = FIPS_mode();
 	if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
@@ -1004,6 +1004,8 @@ Init_openssl(void)
                     Qtrue
 #elif defined(OPENSSL_FIPS)
 		    Qtrue
+#elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time.
+            FIPS_mode() ? Qtrue : Qfalse
 #else
 		    Qfalse
 #endif
diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c
index 2466b5565f..c2c544e4ff 100644
--- a/ext/openssl/ossl_pkcs12.c
+++ b/ext/openssl/ossl_pkcs12.c
@@ -134,9 +134,15 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
     if (!NIL_P(keytype))
         ktype = NUM2INT(keytype);
 
+#if defined(OPENSSL_IS_AWSLC)
+    if (ktype != 0) {
+        ossl_raise(rb_eArgError, "Unknown key usage type %"PRIsVALUE, INT2NUM(ktype));
+    }
+#else
     if (ktype != 0 && ktype != KEY_SIG && ktype != KEY_EX) {
         ossl_raise(rb_eArgError, "Unknown key usage type %"PRIsVALUE, INT2NUM(ktype));
     }
+#endif
 
     obj = NewPKCS12(cPKCS12);
     x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca);
@@ -316,7 +322,9 @@ Init_ossl_pkcs12(void)
     rb_define_method(cPKCS12, "to_der", ossl_pkcs12_to_der, 0);
     rb_define_method(cPKCS12, "set_mac", pkcs12_set_mac, -1);
 
+#if !defined(OPENSSL_IS_AWSLC)
     /* MSIE specific PKCS12 key usage extensions */
     rb_define_const(cPKCS12, "KEY_EX", INT2NUM(KEY_EX));
     rb_define_const(cPKCS12, "KEY_SIG", INT2NUM(KEY_SIG));
+#endif
 }
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index f43721a5b7..c620468122 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -657,8 +657,11 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
 		ossl_clear_error(); /* ignore errors in d2i_ECPKParameters_bio() */
                 if (nid == NID_undef)
                     ossl_raise(eEC_GROUP, "unknown curve name (%"PRIsVALUE")", arg1);
-
+#if !defined(OPENSSL_IS_AWSLC)
                 group = EC_GROUP_new_by_curve_name(nid);
+#else /* EC_GROUPs are static and immutable by default in AWS-LC. */
+                group = EC_GROUP_new_by_curve_name_mutable(nid);
+#endif
                 if (group == NULL)
                     ossl_raise(eEC_GROUP, "unable to create curve (%"PRIsVALUE")", arg1);
 
@@ -1367,7 +1370,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self)
     GetECPointGroup(self, group);
 
     rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated");
-#if !OSSL_OPENSSL_PREREQ(3, 0, 0)
+#if !OSSL_OPENSSL_PREREQ(3, 0, 0) && !defined(OPENSSL_IS_AWSLC)
     if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1)
         ossl_raise(eEC_POINT, "EC_POINT_make_affine");
 #endif
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index cb8e5d7635..b9033d4d0e 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -705,7 +705,9 @@ ossl_sslctx_setup(VALUE self)
     SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
 #endif
 
+#if !defined(OPENSSL_IS_AWSLC) /* AWS-LC has no support for TLS 1.3 PHA. */
     SSL_CTX_set_post_handshake_auth(ctx, 1);
+#endif
 
     val = rb_attr_get(self, id_i_cert_store);
     if (!NIL_P(val)) {
author	Samuel Chiang <sachiang@amazon.com>	2025-01-24 02:16:14 +0000
committer	git <svn-admin@ruby-lang.org>	2025-02-11 15:35:03 +0000
commit	06faf28558c2f1925f37dd78ff61ba1bef6e894e (patch)
tree	02e182829860f8be439fc1a62303fc8577cbeb50 /ext
parent	e603a420e9fb085c37f16f0a32628ecf6232f507 (diff)