FIPS build changes

samuel40791765 · Dec 2, 2024 · 855644f · 855644f
1 parent d74ee8a
commit 855644f
Show file tree

Hide file tree

Showing 2 changed files with 163 additions and 11 deletions.
diff --git a/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch b/tests/ci/integration/ruby_patch/ruby_3_1/aws-lc-ruby-temp.patch
@@ -1,3 +1,35 @@
+diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
+index 6c532ac..b4ca18b 100644
+--- a/ext/openssl/ossl.c
++++ b/ext/openssl/ossl.c
+@@ -417,8 +417,7 @@ ossl_debug_set(VALUE self, VALUE val)
+ static VALUE
+ ossl_fips_mode_get(VALUE self)
+ {
+-
+-#ifdef OPENSSL_FIPS
++#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
+     VALUE enabled;
+     enabled = FIPS_mode() ? Qtrue : Qfalse;
+     return enabled;
+@@ -443,7 +442,7 @@ static VALUE
+ ossl_fips_mode_set(VALUE self, VALUE enabled)
+ {
+
+-#ifdef OPENSSL_FIPS
++#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
+     if (RTEST(enabled)) {
+ 	int mode = FIPS_mode();
+ 	if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
+@@ -1200,6 +1199,8 @@ Init_openssl(void)
+     rb_define_const(mOSSL, "OPENSSL_FIPS",
+ #ifdef OPENSSL_FIPS
+ 		    Qtrue
++#elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time.
++            FIPS_mode() ? Qtrue : Qfalse
+ #else
+ 		    Qfalse
+ #endif
 diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c
 index fb947df..969aa25 100644
 --- a/ext/openssl/ossl_pkcs12.c
@@ -121,6 +153,35 @@ index 7e5b969..4521e62 100644
      encode_decode_test B(%w{ 41 02 AB CD }), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD }), 1, :APPLICATION)
      encode_decode_test B(%w{ 41 81 80 } + %w{ AB CD } * 64), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 64), 1, :APPLICATION)
      encode_decode_test B(%w{ 41 82 01 00 } + %w{ AB CD } * 128), OpenSSL::ASN1::ASN1Data.new(B(%w{ AB CD } * 128), 1, :APPLICATION)
+diff --git a/test/openssl/test_bn.rb b/test/openssl/test_bn.rb
+index 346602d..2552d95 100644
+--- a/test/openssl/test_bn.rb
++++ b/test/openssl/test_bn.rb
+@@ -56,10 +56,11 @@ def test_to_str
+     assert_equal((-(2**107-1)).to_s, @e4.to_s(10))
+     assert_equal("999", @e1.to_s)
+
+-    assert_equal("03E7", @e1.to_s(16))
+-    assert_equal("-03E7", @e2.to_s(16))
+-    assert_equal("07FFFFFFFFFFFFFFFFFFFFFFFFFF", @e3.to_s(16))
+-    assert_equal("-07FFFFFFFFFFFFFFFFFFFFFFFFFF", @e4.to_s(16))
++    # AWS-LC prints hex in lower case.
++    assert_equal("03E7", @e1.to_s(16).upcase)
++    assert_equal("-03E7", @e2.to_s(16).upcase)
++    assert_equal("07FFFFFFFFFFFFFFFFFFFFFFFFFF", @e3.to_s(16).upcase)
++    assert_equal("-07FFFFFFFFFFFFFFFFFFFFFFFFFF", @e4.to_s(16).upcase)
+
+     assert_equal("\x03\xe7", @e1.to_s(2))
+     assert_equal("\x03\xe7", @e2.to_s(2))
+@@ -313,6 +314,8 @@ def test_argument_error
+   end
+
+   def test_get_flags_and_set_flags
++    return if aws_lc? # AWS-LC does not support BN::CONSTTIME.
++
+     e = OpenSSL::BN.new(999)
+
+     assert_equal(0, e.get_flags(OpenSSL::BN::CONSTTIME))
 diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb
 index 24a215a..8f4eb39 100644
 --- a/test/openssl/test_config.rb
@@ -269,16 +330,73 @@ index 9a4818d..0617a1d 100644
      assert_equal group1, group2
 
      group3 = group1.dup
+diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
+index fa84b76..117ba55 100644
+--- a/test/openssl/test_pkey_rsa.rb
++++ b/test/openssl/test_pkey_rsa.rb
+@@ -14,9 +14,7 @@ def test_no_private_exp
+   end if !openssl?(3, 0, 0) # Impossible state in OpenSSL 3.0
+
+   def test_private
+-    # Generated by key size and public exponent
+-    key = OpenSSL::PKey::RSA.new(512, 3)
+-    assert(key.private?)
++    key = Fixtures.pkey("rsa2048")
+
+     # Generated by DER
+     key2 = OpenSSL::PKey::RSA.new(key.to_der)
+@@ -46,34 +44,23 @@ def test_private
+   end
+
+   def test_new
+-    key = OpenSSL::PKey::RSA.new(512)
+-    assert_equal 512, key.n.num_bits
++    key = OpenSSL::PKey::RSA.new(2048)
++    assert_equal 2048, key.n.num_bits
+     assert_equal 65537, key.e
+     assert_not_nil key.d
+-
+-    # Specify public exponent
+-    key2 = OpenSSL::PKey::RSA.new(512, 3)
+-    assert_equal 512, key2.n.num_bits
+-    assert_equal 3, key2.e
+-    assert_not_nil key2.d
++    assert(key.private?)
+   end
+
+   def test_s_generate
+-    key1 = OpenSSL::PKey::RSA.generate(512)
+-    assert_equal 512, key1.n.num_bits
++    key1 = OpenSSL::PKey::RSA.generate(2048)
++    assert_equal 2048, key1.n.num_bits
+     assert_equal 65537, key1.e
+-
+-    # Specify public exponent
+-    key2 = OpenSSL::PKey::RSA.generate(512, 3)
+-    assert_equal 512, key2.n.num_bits
+-    assert_equal 3, key2.e
+-    assert_not_nil key2.d
+   end
+
+   def test_new_break
+-    assert_nil(OpenSSL::PKey::RSA.new(1024) { break })
++    assert_nil(OpenSSL::PKey::RSA.new(2048) { break })
+     assert_raise(RuntimeError) do
+-      OpenSSL::PKey::RSA.new(1024) { raise }
++      OpenSSL::PKey::RSA.new(2048) { raise }
+     end
+   end
+
 diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
-index 39964bf..59e0213 100644
+index 39964bf..536b85c 100644
 --- a/test/openssl/test_ssl.rb
 +++ b/test/openssl/test_ssl.rb
 @@ -420,7 +420,7 @@ def test_verify_result
        ssl.sync_close = true
        begin
          assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
 -        assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
-+        assert_includes(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN..OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, ssl.verify_result)
++        assert_includes [OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY], ssl.verify_result
        ensure
          ssl.close
        end
@@ -444,10 +562,21 @@ index d6c0e70..dad4036 100644
      ca1_key = Fixtures.pkey("rsa-1")
      ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil)
 diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
-index 4ebcb98..2afb15d 100644
+index 4ebcb98..b958c48 100644
 --- a/test/openssl/utils.rb
 +++ b/test/openssl/utils.rb
-@@ -132,7 +132,7 @@ def get_subject_key_id(cert, hex: true)
+@@ -2,10 +2,6 @@
+ begin
+   require "openssl"
+
+-  # Disable FIPS mode for tests for installations
+-  # where FIPS mode would be enabled by default.
+-  # Has no effect on all other installations.
+-  OpenSSL.fips_mode=false
+ rescue LoadError
+ end
+
+@@ -132,7 +128,7 @@ def get_subject_key_id(cert, hex: true)
    end
 
    def openssl?(major = nil, minor = nil, fix = nil, patch = 0)
@@ -456,7 +585,7 @@ index 4ebcb98..2afb15d 100644
      return true unless major
      OpenSSL::OPENSSL_VERSION_NUMBER >=
        major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10
-@@ -143,6 +143,12 @@ def libressl?(major = nil, minor = nil, fix = nil)
+@@ -143,6 +139,12 @@ def libressl?(major = nil, minor = nil, fix = nil)
      return false unless version
      !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0
    end

diff --git a/tests/ci/integration/run_ruby_integration.sh b/tests/ci/integration/run_ruby_integration.sh
@@ -30,10 +30,31 @@ function ruby_build() {
     pushd ${branch}
     ./autogen.sh
     mkdir -p build && cd build
-    ../configure --with-openssl-dir=${AWS_LC_INSTALL_FOLDER} \
-                 --with-openssl-lib=${AWS_LC_INSTALL_FOLDER}/lib \
-                 --with-openssl-include=${AWS_LC_INSTALL_FOLDER}/include
-    make -j ${NUM_CPU_THREADS}
+
+    ../configure --disable-install-doc \
+                 --disable-rpath \
+                 --enable-load-relative \
+                 --enable-shared \
+                 --with-openssl-dir=${AWS_LC_INSTALL_FOLDER}
+
+    # Ruby's make command builds Ruby first, then generates Makefiles for the underlying gems. The configure
+    # scripts for the underlying gems also happen to take a dependency on the resulting Ruby binary. This
+    # means we need to build Ruby first before we can make any changes to the underlying gem(openssl)'s Makefile.
+    make V=1 -j ${NUM_CPU_THREADS}
+
+    # Replace all specific calls to "-lssl -lcrypto" in Makefiles, so we build with AWS-LC's static libraries instead.
+    # Ruby's openssl gem build prioritizes shared libraries and ignores any self-defined LDFLAGS without this.
+    egrep -IR "(\-lssl|\-lcrypto)" * | cut -d ":" -f 1 | uniq | sort | grep -w "Makefile" | \
+      xargs -I {} sed -i 's|-lssl|-l:libssl.a|g; s|-lcrypto|-l:libcrypto.a|g' {}
+
+    # Rebuild to link statically against AWS-LC.
+    make V=1 -j ${NUM_CPU_THREADS}
+
+    # Check that shared library of AWS-LC was not linked.
+    ldd "$(find ./ -name "openssl.so")" | grep -qE "libssl\.so|libcrypto\.so" && exit 1
+
+    # make test-all TESTS="../test/openssl/test_pkey_rsa.rb" 
+
     popd
 }
 
@@ -61,12 +82,14 @@ fi
 
 mkdir -p ${SCRATCH_FOLDER}
 rm -rf ${SCRATCH_FOLDER}/*
+# rm -rf ${RUBY_SRC_FOLDER}
 cd ${SCRATCH_FOLDER}
 
 mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
 
-export CFLAGS="-DAWS_LC_INTERNAL_IGNORE_BN_SET_FLAGS=1"
-aws_lc_build ${SRC_ROOT} ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} -DBUILD_TESTING=OFF -DBUILD_SHARED_LIBS=1
+aws_lc_build ${SRC_ROOT} ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} -DBUILD_TESTING=OFF -DFIPS=1 -DBUILD_SHARED_LIBS=1
+rm -rf ${AWS_LC_BUILD_FOLDER} && mkdir -p ${AWS_LC_BUILD_FOLDER}
+aws_lc_build ${SRC_ROOT} ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} -DBUILD_TESTING=OFF -DFIPS=1
 
 mkdir -p ${RUBY_SRC_FOLDER}
 pushd ${RUBY_SRC_FOLDER}