Ruby 3.1 integration tests

justsmth · Sep 20, 2024 · fa28d7c · fa28d7c
1 parent 8aa8815
commit fa28d7c
Show file tree

Hide file tree

Showing 3 changed files with 378 additions and 0 deletions.
diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml
@@ -232,3 +232,15 @@ jobs:
       - name: Run accp build
         run: |
           ./tests/ci/integration/run_accp_integration.sh
+  ruby-releases:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make autoconf ruby
+      - uses: actions/checkout@v3
+      - name: Build AWS-LC, build ruby, run tests
+        run: |
+          ./tests/ci/integration/run_ruby_integration.sh ruby_3_1
diff --git a/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch
@@ -0,0 +1,282 @@
+From 5a7c5f89085bf58e46c48a2531464a3a2b97c0b4 Mon Sep 17 00:00:00 2001
+From: Justin Smith <justsmth@amazon.com>
+Date: Fri, 13 Sep 2024 11:52:19 -0400
+Subject: [PATCH] Patch for AWS-LC
+
+---
+ ext/openssl/ossl_config.c  |  8 ++++++
+ ext/openssl/ossl_config.h  |  3 +++
+ ext/openssl/ossl_ocsp.c    | 16 +++++++-----
+ ext/openssl/ossl_pkcs7.c   |  8 ++++++
+ ext/openssl/ossl_pkcs7.h   |  2 ++
+ ext/openssl/ossl_pkey.c    | 50 ++++++++++++++++++--------------------
+ ext/openssl/ossl_pkey_ec.c |  4 +--
+ ext/openssl/ossl_x509.c    |  4 +--
+ ext/openssl/ossl_x509ext.c |  2 +-
+ 9 files changed, 59 insertions(+), 38 deletions(-)
+
+diff --git a/ext/openssl/ossl_config.c b/ext/openssl/ossl_config.c
+index 0bac027..7d499a0 100644
+--- a/ext/openssl/ossl_config.c
++++ b/ext/openssl/ossl_config.c
+@@ -9,6 +9,8 @@
+  */
+ #include "ossl.h"
+
++#if !defined(OPENSSL_IS_AWSLC)
++
+ static VALUE cConfig, eConfigError;
+
+ static void
+@@ -458,3 +460,9 @@ Init_ossl_config(void)
+     path_str = ossl_buf2str(path, rb_long2int(strlen(path)));
+     rb_define_const(cConfig, "DEFAULT_CONFIG_FILE", path_str);
+ }
++#else
++void
++Init_ossl_config(void)
++{
++}
++#endif
+\ No newline at end of file
+diff --git a/ext/openssl/ossl_config.h b/ext/openssl/ossl_config.h
+index 4e604f1..1c55ba1 100644
+--- a/ext/openssl/ossl_config.h
++++ b/ext/openssl/ossl_config.h
+@@ -10,7 +10,10 @@
+ #ifndef OSSL_CONFIG_H
+ #define OSSL_CONFIG_H
+
++#if !defined(OPENSSL_IS_AWSLC)
+ CONF *GetConfig(VALUE obj);
++#endif
++
+ void Init_ossl_config(void);
+
+ #endif /* OSSL_CONFIG_H */
+diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
+index 1e87484..343b5cb 100644
+--- a/ext/openssl/ossl_ocsp.c
++++ b/ext/openssl/ossl_ocsp.c
+@@ -1863,9 +1863,6 @@ Init_ossl_ocsp(void)
+     /* Illegal confirmation request */
+     rb_define_const(mOCSP, "RESPONSE_STATUS_MALFORMEDREQUEST", INT2NUM(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST));
+
+-    /* The certificate was revoked for an unknown reason */
+-    rb_define_const(mOCSP, "REVOKED_STATUS_NOSTATUS", INT2NUM(OCSP_REVOKED_STATUS_NOSTATUS));
+-
+     /* You must sign the request and resubmit */
+     rb_define_const(mOCSP, "RESPONSE_STATUS_SIGREQUIRED", INT2NUM(OCSP_RESPONSE_STATUS_SIGREQUIRED));
+
+@@ -1909,9 +1906,6 @@ Init_ossl_ocsp(void)
+     /* Do not search certificates contained in the response for a signer */
+     rb_define_const(mOCSP, "NOINTERN", INT2NUM(OCSP_NOINTERN));
+
+-    /* Do not check the signature on the response */
+-    rb_define_const(mOCSP, "NOSIGS", INT2NUM(OCSP_NOSIGS));
+-
+     /* Do not verify the certificate chain on the response */
+     rb_define_const(mOCSP, "NOCHAIN", INT2NUM(OCSP_NOCHAIN));
+
+@@ -1921,6 +1915,14 @@ Init_ossl_ocsp(void)
+     /* Do not check trust */
+     rb_define_const(mOCSP, "NOEXPLICIT", INT2NUM(OCSP_NOEXPLICIT));
+
++#if !defined(OPENSSL_IS_AWSLC)
++
++    /* The certificate was revoked for an unknown reason */
++    rb_define_const(mOCSP, "REVOKED_STATUS_NOSTATUS", INT2NUM(OCSP_REVOKED_STATUS_NOSTATUS));
++
++    /* Do not check the signature on the response */
++    rb_define_const(mOCSP, "NOSIGS", INT2NUM(OCSP_NOSIGS));
++
+     /* (This flag is not used by OpenSSL 1.0.1g) */
+     rb_define_const(mOCSP, "NOCASIGN", INT2NUM(OCSP_NOCASIGN));
+
+@@ -1930,6 +1932,8 @@ Init_ossl_ocsp(void)
+     /* Do not make additional signing certificate checks */
+     rb_define_const(mOCSP, "NOCHECKS", INT2NUM(OCSP_NOCHECKS));
+
++#endif
++
+     /* Do not verify additional certificates */
+     rb_define_const(mOCSP, "TRUSTOTHER", INT2NUM(OCSP_TRUSTOTHER));
+
+diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c
+index dbe5347..2dd771d 100644
+--- a/ext/openssl/ossl_pkcs7.c
++++ b/ext/openssl/ossl_pkcs7.c
+@@ -8,6 +8,7 @@
+  * (See the file 'LICENCE'.)
+  */
+ #include "ossl.h"
++#if !defined(OPENSSL_IS_AWSLC)
+
+ #define NewPKCS7si(klass) \
+     TypedData_Wrap_Struct((klass), &ossl_pkcs7_signer_info_type, 0)
+@@ -1079,3 +1080,10 @@ Init_ossl_pkcs7(void)
+     DefPKCS7Const(NOATTR);
+     DefPKCS7Const(NOSMIMECAP);
+ }
++
++#else
++void
++Init_ossl_pkcs7(void)
++{
++}
++#endif
+\ No newline at end of file
+diff --git a/ext/openssl/ossl_pkcs7.h b/ext/openssl/ossl_pkcs7.h
+index 3e1b094..f85efcc 100644
+--- a/ext/openssl/ossl_pkcs7.h
++++ b/ext/openssl/ossl_pkcs7.h
+@@ -8,6 +8,7 @@
+  * (See the file 'LICENCE'.)
+  */
+ #if !defined(_OSSL_PKCS7_H_)
++#if !defined(OPENSSL_IS_AWSLC)
+ #define _OSSL_PKCS7_H_
+
+ #define NewPKCS7(klass) \
+@@ -30,6 +31,7 @@ extern VALUE cPKCS7;
+ extern VALUE cPKCS7Signer;
+ extern VALUE cPKCS7Recipient;
+ extern VALUE ePKCS7Error;
++#endif
+
+ void Init_ossl_pkcs7(void);
+
+diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
+index 4aa4489..e6e2129 100644
+--- a/ext/openssl/ossl_pkey.c
++++ b/ext/openssl/ossl_pkey.c
+@@ -7,6 +7,8 @@
+  * This program is licensed under the same licence as Ruby.
+  * (See the file 'LICENCE'.)
+  */
++#include "openssl/base.h"
++#include "openssl/evp.h"
+ #include "ossl.h"
+
+ #ifdef OSSL_USE_ENGINE
+@@ -686,8 +688,7 @@ ossl_pkey_to_text(VALUE self)
+ }
+
+ VALUE
+-ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der)
+-{
++ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der) {
+     EVP_PKEY *pkey;
+     VALUE cipher, pass;
+     const EVP_CIPHER *enc = NULL;
+@@ -696,37 +697,32 @@ ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der)
+     GetPKey(self, pkey);
+     rb_scan_args(argc, argv, "02", &cipher, &pass);
+     if (!NIL_P(cipher)) {
+-	enc = ossl_evp_get_cipherbyname(cipher);
+-	pass = ossl_pem_passwd_value(pass);
++        enc = ossl_evp_get_cipherbyname(cipher);
++        pass = ossl_pem_passwd_value(pass);
+     }
+
+     bio = BIO_new(BIO_s_mem());
+     if (!bio)
+-	ossl_raise(ePKeyError, "BIO_new");
++        ossl_raise(ePKeyError, "BIO_new");
+     if (to_der) {
+-	if (!i2d_PrivateKey_bio(bio, pkey)) {
+-	    BIO_free(bio);
+-	    ossl_raise(ePKeyError, "i2d_PrivateKey_bio");
+-	}
+-    }
+-    else {
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000
+-	if (!PEM_write_bio_PrivateKey_traditional(bio, pkey, enc, NULL, 0,
+-						  ossl_pem_passwd_cb,
+-						  (void *)pass)) {
+-#else
+-	char pem_str[80];
+-	const char *aname;
++        if (!i2d_PrivateKey_bio(bio, pkey)) {
++            BIO_free(bio);
++            ossl_raise(ePKeyError, "i2d_PrivateKey_bio");
++        }
++    } else {
++        char pem_str[80];
++        const char *aname;
++        const int pkey_type = EVP_PKEY_id(pkey);
++        const EVP_PKEY_ASN1_METHOD* asn1_methods = EVP_PKEY_asn1_find(NULL, pkey_type);
+
+-	EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &aname, pkey->ameth);
+-	snprintf(pem_str, sizeof(pem_str), "%s PRIVATE KEY", aname);
+-	if (!PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey, pem_str, bio,
+-				pkey, enc, NULL, 0, ossl_pem_passwd_cb,
+-				(void *)pass)) {
+-#endif
+-	    BIO_free(bio);
+-	    ossl_raise(ePKeyError, "PEM_write_bio_PrivateKey_traditional");
+-	}
++        EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &aname, asn1_methods);
++        snprintf(pem_str, sizeof(pem_str), "%s PRIVATE KEY", aname);
++        if (!PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey, pem_str, bio,
++                                pkey, enc, NULL, 0, ossl_pem_passwd_cb,
++                                (void *)pass)) {
++            BIO_free(bio);
++            ossl_raise(ePKeyError, "PEM_write_bio_PrivateKey_traditional");
++        }
+     }
+     return ossl_membio2str(bio);
+ }
+diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
+index 06d59c2..f248a96 100644
+--- a/ext/openssl/ossl_pkey_ec.c
++++ b/ext/openssl/ossl_pkey_ec.c
+@@ -1295,7 +1295,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self)
+     GetECPointGroup(self, group);
+
+     rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated");
+-#if !OSSL_OPENSSL_PREREQ(3, 0, 0)
++#if !OSSL_OPENSSL_PREREQ(3, 0, 0) && !defined(OPENSSL_IS_AWSLC)
+     if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1)
+         ossl_raise(cEC_POINT, "EC_POINT_make_affine");
+ #endif
+@@ -1444,7 +1444,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
+ 	if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1)
+ 	    ossl_raise(eEC_POINT, NULL);
+     } else {
+-#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER)
++#if (defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_AWSLC)
+         rb_raise(rb_eNotImpError, "calling #mul with arrays is not" \
+                  "supported by this OpenSSL version");
+ #else
+diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c
+index f847070..53b6270 100644
+--- a/ext/openssl/ossl_x509.c
++++ b/ext/openssl/ossl_x509.c
+@@ -243,8 +243,8 @@ Init_ossl_x509(void)
+     DefX509Const(TRUST_SSL_SERVER);
+     DefX509Const(TRUST_EMAIL);
+     DefX509Const(TRUST_OBJECT_SIGN);
+-    DefX509Const(TRUST_OCSP_SIGN);
+-    DefX509Const(TRUST_OCSP_REQUEST);
++    // DefX509Const(TRUST_OCSP_SIGN);
++    // DefX509Const(TRUST_OCSP_REQUEST);
+     DefX509Const(TRUST_TSA);
+
+     DefX509Default(CERT_AREA, cert_area);
+diff --git a/ext/openssl/ossl_x509ext.c b/ext/openssl/ossl_x509ext.c
+index e54102c..b6658e7 100644
+--- a/ext/openssl/ossl_x509ext.c
++++ b/ext/openssl/ossl_x509ext.c
+@@ -226,7 +226,7 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
+     GetX509ExtFactory(self, ctx);
+     obj = NewX509Ext(cX509Ext);
+     rconf = rb_iv_get(self, "@config");
+-    conf = NIL_P(rconf) ? NULL : GetConfig(rconf);
++    conf = NULL;
+     X509V3_set_nconf(ctx, conf);
+     ext = X509V3_EXT_nconf_nid(conf, ctx, nid, RSTRING_PTR(valstr));
+     X509V3_set_ctx_nodb(ctx);
+-- 
+2.39.3 (Apple Git-145)
+
diff --git a/tests/ci/integration/run_ruby_integration.sh b/tests/ci/integration/run_ruby_integration.sh
@@ -0,0 +1,84 @@
+#!/bin/bash -exu
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+source tests/ci/common_posix_setup.sh
+
+set -exuo pipefail
+
+# Set up environment.
+
+# SYS_ROOT
+#  - SRC_ROOT(aws-lc)
+#    - SCRATCH_FOLDER
+#      - RUBY_SRC_FOLDER
+#        - ruby_3_1
+#      - RUBY_PATCH_FOLDER
+#        - ruby_3_1
+#      - AWS_LC_BUILD_FOLDER
+#      - AWS_LC_INSTALL_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+SCRATCH_FOLDER="${SRC_ROOT}/RUBY_BUILD_ROOT"
+RUBY_SRC_FOLDER="${SCRATCH_FOLDER}/ruby-src"
+RUBY_PATCH_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch"
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+
+function ruby_build() {
+    local branch=${1}
+    pushd ${branch}
+    ./autogen.sh
+    mkdir -p build && cd build
+    export
+    ../configure CFLAGS="-DAWS_LC_INTERNAL_IGNORE_BN_SET_FLAGS=1 -Wno-deprecated-declarations" \
+                 --with-openssl-dir=${AWS_LC_INSTALL_FOLDER} \
+                 --with-openssl-lib=${AWS_LC_INSTALL_FOLDER}/lib \
+                 --with-openssl-include=${AWS_LC_INSTALL_FOLDER}/include
+    make -j ${NUM_CPU_THREADS}
+    popd
+}
+
+function ruby_patch() {
+    local branch=${1}
+    local src_dir="${RUBY_SRC_FOLDER}/${branch}"
+    local patch_dir="${RUBY_PATCH_FOLDER}/${branch}"
+    if [[ ! $(find -L ${patch_dir} -type f -name '*.patch') ]]; then
+        echo "No patch for ${branch}!"
+        exit 1
+    fi
+    git clone https://github.com/ruby/ruby.git ${src_dir} \
+        --depth 1 \
+        --branch ${branch}
+    for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do
+      echo "Apply patch ${patchfile}..."
+      cat ${patchfile} | patch -p1 --quiet -d ${src_dir}
+    done
+}
+
+if [[ "$#" -eq "0" ]]; then
+    echo "No ruby branches provided for testing"
+    exit 1
+fi
+
+mkdir -p ${SCRATCH_FOLDER}
+rm -rf ${SCRATCH_FOLDER}/*
+cd ${SCRATCH_FOLDER}
+
+mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
+
+export CFLAGS="-DAWS_LC_INTERNAL_IGNORE_BN_SET_FLAGS=1"
+aws_lc_build ${SRC_ROOT} ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} -DBUILD_TESTING=OFF -DBUILD_SHARED_LIBS=1
+
+mkdir -p ${RUBY_SRC_FOLDER}
+pushd ${RUBY_SRC_FOLDER}
+
+# NOTE: As we add more versions to support, we may want to parallelize here
+for branch in "$@"; do
+    ruby_patch ${branch}
+    ruby_build ${branch}
+done
+
+cp ${AWS_LC_INSTALL_FOLDER}/lib/{libcrypto.*,libssl.*} ${RUBY_SRC_FOLDER}/${branch}/build
+
+popd