forked from aws/aws-lc
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
378 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
282 changes: 282 additions & 0 deletions
282
tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,282 @@ | ||
From 5a7c5f89085bf58e46c48a2531464a3a2b97c0b4 Mon Sep 17 00:00:00 2001 | ||
From: Justin Smith <justsmth@amazon.com> | ||
Date: Fri, 13 Sep 2024 11:52:19 -0400 | ||
Subject: [PATCH] Patch for AWS-LC | ||
|
||
--- | ||
ext/openssl/ossl_config.c | 8 ++++++ | ||
ext/openssl/ossl_config.h | 3 +++ | ||
ext/openssl/ossl_ocsp.c | 16 +++++++----- | ||
ext/openssl/ossl_pkcs7.c | 8 ++++++ | ||
ext/openssl/ossl_pkcs7.h | 2 ++ | ||
ext/openssl/ossl_pkey.c | 50 ++++++++++++++++++-------------------- | ||
ext/openssl/ossl_pkey_ec.c | 4 +-- | ||
ext/openssl/ossl_x509.c | 4 +-- | ||
ext/openssl/ossl_x509ext.c | 2 +- | ||
9 files changed, 59 insertions(+), 38 deletions(-) | ||
|
||
diff --git a/ext/openssl/ossl_config.c b/ext/openssl/ossl_config.c | ||
index 0bac027..7d499a0 100644 | ||
--- a/ext/openssl/ossl_config.c | ||
+++ b/ext/openssl/ossl_config.c | ||
@@ -9,6 +9,8 @@ | ||
*/ | ||
#include "ossl.h" | ||
|
||
+#if !defined(OPENSSL_IS_AWSLC) | ||
+ | ||
static VALUE cConfig, eConfigError; | ||
|
||
static void | ||
@@ -458,3 +460,9 @@ Init_ossl_config(void) | ||
path_str = ossl_buf2str(path, rb_long2int(strlen(path))); | ||
rb_define_const(cConfig, "DEFAULT_CONFIG_FILE", path_str); | ||
} | ||
+#else | ||
+void | ||
+Init_ossl_config(void) | ||
+{ | ||
+} | ||
+#endif | ||
\ No newline at end of file | ||
diff --git a/ext/openssl/ossl_config.h b/ext/openssl/ossl_config.h | ||
index 4e604f1..1c55ba1 100644 | ||
--- a/ext/openssl/ossl_config.h | ||
+++ b/ext/openssl/ossl_config.h | ||
@@ -10,7 +10,10 @@ | ||
#ifndef OSSL_CONFIG_H | ||
#define OSSL_CONFIG_H | ||
|
||
+#if !defined(OPENSSL_IS_AWSLC) | ||
CONF *GetConfig(VALUE obj); | ||
+#endif | ||
+ | ||
void Init_ossl_config(void); | ||
|
||
#endif /* OSSL_CONFIG_H */ | ||
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c | ||
index 1e87484..343b5cb 100644 | ||
--- a/ext/openssl/ossl_ocsp.c | ||
+++ b/ext/openssl/ossl_ocsp.c | ||
@@ -1863,9 +1863,6 @@ Init_ossl_ocsp(void) | ||
/* Illegal confirmation request */ | ||
rb_define_const(mOCSP, "RESPONSE_STATUS_MALFORMEDREQUEST", INT2NUM(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST)); | ||
|
||
- /* The certificate was revoked for an unknown reason */ | ||
- rb_define_const(mOCSP, "REVOKED_STATUS_NOSTATUS", INT2NUM(OCSP_REVOKED_STATUS_NOSTATUS)); | ||
- | ||
/* You must sign the request and resubmit */ | ||
rb_define_const(mOCSP, "RESPONSE_STATUS_SIGREQUIRED", INT2NUM(OCSP_RESPONSE_STATUS_SIGREQUIRED)); | ||
|
||
@@ -1909,9 +1906,6 @@ Init_ossl_ocsp(void) | ||
/* Do not search certificates contained in the response for a signer */ | ||
rb_define_const(mOCSP, "NOINTERN", INT2NUM(OCSP_NOINTERN)); | ||
|
||
- /* Do not check the signature on the response */ | ||
- rb_define_const(mOCSP, "NOSIGS", INT2NUM(OCSP_NOSIGS)); | ||
- | ||
/* Do not verify the certificate chain on the response */ | ||
rb_define_const(mOCSP, "NOCHAIN", INT2NUM(OCSP_NOCHAIN)); | ||
|
||
@@ -1921,6 +1915,14 @@ Init_ossl_ocsp(void) | ||
/* Do not check trust */ | ||
rb_define_const(mOCSP, "NOEXPLICIT", INT2NUM(OCSP_NOEXPLICIT)); | ||
|
||
+#if !defined(OPENSSL_IS_AWSLC) | ||
+ | ||
+ /* The certificate was revoked for an unknown reason */ | ||
+ rb_define_const(mOCSP, "REVOKED_STATUS_NOSTATUS", INT2NUM(OCSP_REVOKED_STATUS_NOSTATUS)); | ||
+ | ||
+ /* Do not check the signature on the response */ | ||
+ rb_define_const(mOCSP, "NOSIGS", INT2NUM(OCSP_NOSIGS)); | ||
+ | ||
/* (This flag is not used by OpenSSL 1.0.1g) */ | ||
rb_define_const(mOCSP, "NOCASIGN", INT2NUM(OCSP_NOCASIGN)); | ||
|
||
@@ -1930,6 +1932,8 @@ Init_ossl_ocsp(void) | ||
/* Do not make additional signing certificate checks */ | ||
rb_define_const(mOCSP, "NOCHECKS", INT2NUM(OCSP_NOCHECKS)); | ||
|
||
+#endif | ||
+ | ||
/* Do not verify additional certificates */ | ||
rb_define_const(mOCSP, "TRUSTOTHER", INT2NUM(OCSP_TRUSTOTHER)); | ||
|
||
diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c | ||
index dbe5347..2dd771d 100644 | ||
--- a/ext/openssl/ossl_pkcs7.c | ||
+++ b/ext/openssl/ossl_pkcs7.c | ||
@@ -8,6 +8,7 @@ | ||
* (See the file 'LICENCE'.) | ||
*/ | ||
#include "ossl.h" | ||
+#if !defined(OPENSSL_IS_AWSLC) | ||
|
||
#define NewPKCS7si(klass) \ | ||
TypedData_Wrap_Struct((klass), &ossl_pkcs7_signer_info_type, 0) | ||
@@ -1079,3 +1080,10 @@ Init_ossl_pkcs7(void) | ||
DefPKCS7Const(NOATTR); | ||
DefPKCS7Const(NOSMIMECAP); | ||
} | ||
+ | ||
+#else | ||
+void | ||
+Init_ossl_pkcs7(void) | ||
+{ | ||
+} | ||
+#endif | ||
\ No newline at end of file | ||
diff --git a/ext/openssl/ossl_pkcs7.h b/ext/openssl/ossl_pkcs7.h | ||
index 3e1b094..f85efcc 100644 | ||
--- a/ext/openssl/ossl_pkcs7.h | ||
+++ b/ext/openssl/ossl_pkcs7.h | ||
@@ -8,6 +8,7 @@ | ||
* (See the file 'LICENCE'.) | ||
*/ | ||
#if !defined(_OSSL_PKCS7_H_) | ||
+#if !defined(OPENSSL_IS_AWSLC) | ||
#define _OSSL_PKCS7_H_ | ||
|
||
#define NewPKCS7(klass) \ | ||
@@ -30,6 +31,7 @@ extern VALUE cPKCS7; | ||
extern VALUE cPKCS7Signer; | ||
extern VALUE cPKCS7Recipient; | ||
extern VALUE ePKCS7Error; | ||
+#endif | ||
|
||
void Init_ossl_pkcs7(void); | ||
|
||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c | ||
index 4aa4489..e6e2129 100644 | ||
--- a/ext/openssl/ossl_pkey.c | ||
+++ b/ext/openssl/ossl_pkey.c | ||
@@ -7,6 +7,8 @@ | ||
* This program is licensed under the same licence as Ruby. | ||
* (See the file 'LICENCE'.) | ||
*/ | ||
+#include "openssl/base.h" | ||
+#include "openssl/evp.h" | ||
#include "ossl.h" | ||
|
||
#ifdef OSSL_USE_ENGINE | ||
@@ -686,8 +688,7 @@ ossl_pkey_to_text(VALUE self) | ||
} | ||
|
||
VALUE | ||
-ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der) | ||
-{ | ||
+ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der) { | ||
EVP_PKEY *pkey; | ||
VALUE cipher, pass; | ||
const EVP_CIPHER *enc = NULL; | ||
@@ -696,37 +697,32 @@ ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der) | ||
GetPKey(self, pkey); | ||
rb_scan_args(argc, argv, "02", &cipher, &pass); | ||
if (!NIL_P(cipher)) { | ||
- enc = ossl_evp_get_cipherbyname(cipher); | ||
- pass = ossl_pem_passwd_value(pass); | ||
+ enc = ossl_evp_get_cipherbyname(cipher); | ||
+ pass = ossl_pem_passwd_value(pass); | ||
} | ||
|
||
bio = BIO_new(BIO_s_mem()); | ||
if (!bio) | ||
- ossl_raise(ePKeyError, "BIO_new"); | ||
+ ossl_raise(ePKeyError, "BIO_new"); | ||
if (to_der) { | ||
- if (!i2d_PrivateKey_bio(bio, pkey)) { | ||
- BIO_free(bio); | ||
- ossl_raise(ePKeyError, "i2d_PrivateKey_bio"); | ||
- } | ||
- } | ||
- else { | ||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000 | ||
- if (!PEM_write_bio_PrivateKey_traditional(bio, pkey, enc, NULL, 0, | ||
- ossl_pem_passwd_cb, | ||
- (void *)pass)) { | ||
-#else | ||
- char pem_str[80]; | ||
- const char *aname; | ||
+ if (!i2d_PrivateKey_bio(bio, pkey)) { | ||
+ BIO_free(bio); | ||
+ ossl_raise(ePKeyError, "i2d_PrivateKey_bio"); | ||
+ } | ||
+ } else { | ||
+ char pem_str[80]; | ||
+ const char *aname; | ||
+ const int pkey_type = EVP_PKEY_id(pkey); | ||
+ const EVP_PKEY_ASN1_METHOD* asn1_methods = EVP_PKEY_asn1_find(NULL, pkey_type); | ||
|
||
- EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &aname, pkey->ameth); | ||
- snprintf(pem_str, sizeof(pem_str), "%s PRIVATE KEY", aname); | ||
- if (!PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey, pem_str, bio, | ||
- pkey, enc, NULL, 0, ossl_pem_passwd_cb, | ||
- (void *)pass)) { | ||
-#endif | ||
- BIO_free(bio); | ||
- ossl_raise(ePKeyError, "PEM_write_bio_PrivateKey_traditional"); | ||
- } | ||
+ EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &aname, asn1_methods); | ||
+ snprintf(pem_str, sizeof(pem_str), "%s PRIVATE KEY", aname); | ||
+ if (!PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey, pem_str, bio, | ||
+ pkey, enc, NULL, 0, ossl_pem_passwd_cb, | ||
+ (void *)pass)) { | ||
+ BIO_free(bio); | ||
+ ossl_raise(ePKeyError, "PEM_write_bio_PrivateKey_traditional"); | ||
+ } | ||
} | ||
return ossl_membio2str(bio); | ||
} | ||
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c | ||
index 06d59c2..f248a96 100644 | ||
--- a/ext/openssl/ossl_pkey_ec.c | ||
+++ b/ext/openssl/ossl_pkey_ec.c | ||
@@ -1295,7 +1295,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self) | ||
GetECPointGroup(self, group); | ||
|
||
rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated"); | ||
-#if !OSSL_OPENSSL_PREREQ(3, 0, 0) | ||
+#if !OSSL_OPENSSL_PREREQ(3, 0, 0) && !defined(OPENSSL_IS_AWSLC) | ||
if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1) | ||
ossl_raise(cEC_POINT, "EC_POINT_make_affine"); | ||
#endif | ||
@@ -1444,7 +1444,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self) | ||
if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1) | ||
ossl_raise(eEC_POINT, NULL); | ||
} else { | ||
-#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) | ||
+#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC) | ||
rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \ | ||
"supported by this OpenSSL version"); | ||
#else | ||
diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c | ||
index f847070..53b6270 100644 | ||
--- a/ext/openssl/ossl_x509.c | ||
+++ b/ext/openssl/ossl_x509.c | ||
@@ -243,8 +243,8 @@ Init_ossl_x509(void) | ||
DefX509Const(TRUST_SSL_SERVER); | ||
DefX509Const(TRUST_EMAIL); | ||
DefX509Const(TRUST_OBJECT_SIGN); | ||
- DefX509Const(TRUST_OCSP_SIGN); | ||
- DefX509Const(TRUST_OCSP_REQUEST); | ||
+ // DefX509Const(TRUST_OCSP_SIGN); | ||
+ // DefX509Const(TRUST_OCSP_REQUEST); | ||
DefX509Const(TRUST_TSA); | ||
|
||
DefX509Default(CERT_AREA, cert_area); | ||
diff --git a/ext/openssl/ossl_x509ext.c b/ext/openssl/ossl_x509ext.c | ||
index e54102c..b6658e7 100644 | ||
--- a/ext/openssl/ossl_x509ext.c | ||
+++ b/ext/openssl/ossl_x509ext.c | ||
@@ -226,7 +226,7 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self) | ||
GetX509ExtFactory(self, ctx); | ||
obj = NewX509Ext(cX509Ext); | ||
rconf = rb_iv_get(self, "@config"); | ||
- conf = NIL_P(rconf) ? NULL : GetConfig(rconf); | ||
+ conf = NULL; | ||
X509V3_set_nconf(ctx, conf); | ||
ext = X509V3_EXT_nconf_nid(conf, ctx, nid, RSTRING_PTR(valstr)); | ||
X509V3_set_ctx_nodb(ctx); | ||
-- | ||
2.39.3 (Apple Git-145) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
#!/bin/bash -exu | ||
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
# SPDX-License-Identifier: Apache-2.0 OR ISC | ||
|
||
source tests/ci/common_posix_setup.sh | ||
|
||
set -exuo pipefail | ||
|
||
# Set up environment. | ||
|
||
# SYS_ROOT | ||
# - SRC_ROOT(aws-lc) | ||
# - SCRATCH_FOLDER | ||
# - RUBY_SRC_FOLDER | ||
# - ruby_3_1 | ||
# - RUBY_PATCH_FOLDER | ||
# - ruby_3_1 | ||
# - AWS_LC_BUILD_FOLDER | ||
# - AWS_LC_INSTALL_FOLDER | ||
|
||
# Assumes script is executed from the root of aws-lc directory | ||
SCRATCH_FOLDER="${SRC_ROOT}/RUBY_BUILD_ROOT" | ||
RUBY_SRC_FOLDER="${SCRATCH_FOLDER}/ruby-src" | ||
RUBY_PATCH_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch" | ||
AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build" | ||
AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install" | ||
|
||
function ruby_build() { | ||
local branch=${1} | ||
pushd ${branch} | ||
./autogen.sh | ||
mkdir -p build && cd build | ||
export | ||
../configure CFLAGS="-DAWS_LC_INTERNAL_IGNORE_BN_SET_FLAGS=1 -Wno-deprecated-declarations" \ | ||
--with-openssl-dir=${AWS_LC_INSTALL_FOLDER} \ | ||
--with-openssl-lib=${AWS_LC_INSTALL_FOLDER}/lib \ | ||
--with-openssl-include=${AWS_LC_INSTALL_FOLDER}/include | ||
make -j ${NUM_CPU_THREADS} | ||
popd | ||
} | ||
|
||
function ruby_patch() { | ||
local branch=${1} | ||
local src_dir="${RUBY_SRC_FOLDER}/${branch}" | ||
local patch_dir="${RUBY_PATCH_FOLDER}/${branch}" | ||
if [[ ! $(find -L ${patch_dir} -type f -name '*.patch') ]]; then | ||
echo "No patch for ${branch}!" | ||
exit 1 | ||
fi | ||
git clone https://github.com/ruby/ruby.git ${src_dir} \ | ||
--depth 1 \ | ||
--branch ${branch} | ||
for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do | ||
echo "Apply patch ${patchfile}..." | ||
cat ${patchfile} | patch -p1 --quiet -d ${src_dir} | ||
done | ||
} | ||
|
||
if [[ "$#" -eq "0" ]]; then | ||
echo "No ruby branches provided for testing" | ||
exit 1 | ||
fi | ||
|
||
mkdir -p ${SCRATCH_FOLDER} | ||
rm -rf ${SCRATCH_FOLDER}/* | ||
cd ${SCRATCH_FOLDER} | ||
|
||
mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} | ||
|
||
export CFLAGS="-DAWS_LC_INTERNAL_IGNORE_BN_SET_FLAGS=1" | ||
aws_lc_build ${SRC_ROOT} ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} -DBUILD_TESTING=OFF -DBUILD_SHARED_LIBS=1 | ||
|
||
mkdir -p ${RUBY_SRC_FOLDER} | ||
pushd ${RUBY_SRC_FOLDER} | ||
|
||
# NOTE: As we add more versions to support, we may want to parallelize here | ||
for branch in "$@"; do | ||
ruby_patch ${branch} | ||
ruby_build ${branch} | ||
done | ||
|
||
cp ${AWS_LC_INSTALL_FOLDER}/lib/{libcrypto.*,libssl.*} ${RUBY_SRC_FOLDER}/${branch}/build | ||
|
||
popd |