More tweaks for Ruby integration (#1852)

Ruby depends on some additional SSL flags and retrieving `DH` from `EVP_PKEY_get0` with `EVP_PKEY_DH` (which were both recently added). There were also a couple test failures in test_cipher.rb that were relatively easy to fix. ``` ❯ make test-all TESTS=../test/openssl/test_cipher.rb config.status: creating ruby-runner.h making mjit_build_dir.so Run options: --seed=38192 "--ruby=./miniruby -I../lib -I. -I.ext/common ... --excludes-dir=../test/excludes --name=!/memory_leak/ # Running tests: Finished tests in 0.058507s, 324.7500 tests/s, 1982.6843 assertions/s. 19 tests, 116 assertions, 0 failures, 0 errors, 0 skips ruby -v: ruby 3.1.6p260 (2024-09-10 revision 30d00a0b43) [x86_64-linux] ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
aws · Sep 17, 2024 · 998227d · 998227d
1 parent d3a598c
commit 998227d
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 1 deletion.
diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c
@@ -73,16 +73,19 @@ static const struct {
   const EVP_CIPHER *(*func)(void);
 } kCiphers[] = {
     {NID_aes_128_cbc, "aes-128-cbc", EVP_aes_128_cbc},
+    {NID_aes_128_cfb128, "aes-128-cfb", EVP_aes_128_cfb},
     {NID_aes_128_ctr, "aes-128-ctr", EVP_aes_128_ctr},
     {NID_aes_128_ecb, "aes-128-ecb", EVP_aes_128_ecb},
     {NID_aes_128_gcm, "aes-128-gcm", EVP_aes_128_gcm},
     {NID_aes_128_ofb128, "aes-128-ofb", EVP_aes_128_ofb},
     {NID_aes_192_cbc, "aes-192-cbc", EVP_aes_192_cbc},
+    {NID_aes_192_cfb128, "aes-192-cfb", EVP_aes_192_cfb},
     {NID_aes_192_ctr, "aes-192-ctr", EVP_aes_192_ctr},
     {NID_aes_192_ecb, "aes-192-ecb", EVP_aes_192_ecb},
     {NID_aes_192_gcm, "aes-192-gcm", EVP_aes_192_gcm},
     {NID_aes_192_ofb128, "aes-192-ofb", EVP_aes_192_ofb},
     {NID_aes_256_cbc, "aes-256-cbc", EVP_aes_256_cbc},
+    {NID_aes_256_cfb128, "aes-256-cfb", EVP_aes_256_cfb},
     {NID_aes_256_ctr, "aes-256-ctr", EVP_aes_256_ctr},
     {NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb},
     {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm},

diff --git a/crypto/decrepit/evp/evp_do_all.c b/crypto/decrepit/evp/evp_do_all.c
@@ -67,6 +67,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
   callback(EVP_rc2_cbc(), "rc2-cbc", NULL, arg);
   callback(EVP_rc4(), "rc4", NULL, arg);
   callback(EVP_chacha20_poly1305(), "chacha20-poly1305", NULL, arg);
+
+  // Other possible historical aliases from OpenSSL.
+  callback(EVP_aes_128_cbc(), "aes128", NULL, arg);
+  callback(EVP_aes_256_cbc(), "aes256", NULL, arg);
 }
 
 void EVP_MD_do_all_sorted(void (*callback)(const EVP_MD *cipher,

diff --git a/crypto/fipsmodule/evp/evp.c b/crypto/fipsmodule/evp/evp.c
@@ -576,6 +576,7 @@ void *EVP_PKEY_get0(const EVP_PKEY *pkey) {
     case EVP_PKEY_RSA_PSS:
     case EVP_PKEY_DSA:
     case EVP_PKEY_EC:
+    case EVP_PKEY_DH:
       return pkey->pkey.ptr;
     default:
       return NULL;

diff --git a/include/openssl/evp.h b/include/openssl/evp.h
@@ -1204,7 +1204,7 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine,
 
 // EVP_PKEY_get0 returns the consumed key. The type of value returned will be
 // one of the following, depending on the type of the |EVP_PKEY|:
-// |RSA|, |DSA| or |EC_KEY|.
+// |DH|, |DSA|, |EC_KEY|, or |RSA|.
 //
 // This function is provided only for compatibility with OpenSSL.
 // Prefer the use the typed |EVP_PKEY_get0_*| functions instead.

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
@@ -5731,6 +5731,22 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
 // is intentionally not supported in AWS-LC.
 #define SSL_VERIFY_CLIENT_ONCE 0
 
+// SSL_OP_TLSEXT_PADDING is OFF by default in AWS-LC. Turning this ON in
+// OpenSSL adds a padding extension to ensure the ClientHello size is never
+// between 256 and 511 bytes in length. This is needed as a workaround for some
+// implementations.
+#define SSL_OP_TLSEXT_PADDING 0
+
+// SSL_OP_SAFARI_ECDHE_ECDSA_BUG is OFF by default in AWS-LC. Turning this ON in
+// OpenSSL defers ECDHE-ECDSA ciphers when the client appears to be Safari on
+// OSX. OSX 10.8 ~ 10.8.3 has broken support for ECDHE-ECDSA ciphers.
+#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0
+
+// SSL_OP_CRYPTOPRO_TLSEXT_BUG is OFF by default in AWS-LC. Turning this ON in
+// OpenSSL adds the server-hello extension from the early version of cryptopro
+// draft when GOST ciphersuite is negotiated (which we don't support).
+#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0
+
 // The following have no effect in both AWS-LC and OpenSSL.
 #define SSL_OP_EPHEMERAL_RSA 0
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0