From 06faf28558c2f1925f37dd78ff61ba1bef6e894e Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Fri, 24 Jan 2025 02:16:14 +0000 Subject: [ruby/openssl] Add build support for AWS-LC CI Changes 1. I've split the original patch up to make it easier to digest, but that forces my hand to turn off testing in the AWS-LC CI for the time being. However, do let me know if you would prefer to review the test adjustments in the same PR and I can remove the temporary CI workaround. 2. AWS-LC has a few no-op functions and we use -Wdeprecated-declarations to alert the consuming application of these. I've leveraged the skip-warnings CI option so that the build doesn't fail. Build Adjustments 1. AWS-LC FIPS mode is decided at compile time. This is different from OpenSSL's togglable FIPS switch, so I've adjusted the build to account for this. 2. AWS-LC does not support for the two KEY_SIG or KEY_EX flags that were only ever supported by old MSIE. 3. AWS-LC has no current support for post handshake authentication in TLS 1.3. 4. EC_GROUP structures for named curves in AWS-LC are constant, static, and immutable by default. This means that the EC_GROUP_set_* functions are essentially no-ops due to the immutability of the structure. We've introduced a new API for consumers that depend on the OpenSSL's default mutability of the EC_GROUP structure called EC_GROUP_new_by_curve_name_mutable. Since Ruby has a bit of functionality that's dependent on the mutability of these structures, I've made the corresponding adjustments to allow things to work as expected. https://github.com/ruby/openssl/commit/e53ec5a101 --- test/openssl/utils.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index c797cd3fa4..220edce292 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -103,7 +103,7 @@ module OpenSSL::TestUtils end def openssl?(major = nil, minor = nil, fix = nil, patch = 0, status = 0) - return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") + return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") || OpenSSL::OPENSSL_VERSION.include?("AWS-LC") return true unless major OpenSSL::OPENSSL_VERSION_NUMBER >= major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 + @@ -115,6 +115,10 @@ module OpenSSL::TestUtils return false unless version !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 end + + def aws_lc? + OpenSSL::OPENSSL_VERSION.include?("AWS-LC") + end end class OpenSSL::TestCase < Test::Unit::TestCase -- cgit v1.2.3