Add integration script and CI for ruby 3.1 and 3.2

[samuel40791765]

Description of changes:

We've finalized our support for Ruby 3.1 and 3.2. This adds the patch and integration CI to test against it.

Ruby 3.1 patch contents are as following:

1. Slight logic to properly detect AWS-LC in FIPS mode.
2. Differences in emitted error messages
3. During signature verification, an invalid ASN.1 input raises an error in Ruby/OpenSSL and an actual verification failure returns false. AWS-LC simply returns false for all cases.
4. OpenSSL allows invalid DH parameters to be parsed successfully and invalidates it in a subsequent call to params_ok?. AWS-LC simply disallows invalid parameters to be parsed.
5. AWS-LC does not support the serialization of custom/explicit curves. Explicit curves are highly impractical to validate from a security standpoint and have been the source of many CVEs. See the following issues for more details on why explicit curves are discouraged.
   • Deprecating base point compression and explicit curve parameters in EC key files openssl/openssl#9286
   • Allow explicit EC curve params for known named curves openssl/openssl#20119
6. AWS-LC does not support BN::CONSTTIME. See 0a211df for more details.
7. AWS-LC does not support DHE ciphersuites in SSL connections. 5 tests have been adjusted accordingly.
8. Changes in pkcs12 are pieces of ruby/ruby@63e9eaa in upstream Ruby. This test was testing with the wrong number of parameters. AWS-LC does not support the "old MSIE extension" mentioned in the commit.
9. Changes in test/openssl/test_pkey_rsa.rb are pieces of ruby/ruby@2e5680d in upstream Ruby. It accounts for RSA operations disallowed in FIPS mode in Ruby's RSA tests. The commit diff is a bit too large to muddle with the changes in this CR. It's also fairly recent and not directly applicable to Ruby 3.1's version of the file, so I've only taken pieces that ensure we're not losing coverage.

Ruby 3.2 patch contents are nearly identical to the points mentioned above. Only additional thing to note is AWS-LC does key checks while parsing EC Keys and disallows invalid keys to be parsed. This is similar to the DH params discrepancy described above in point 4.

Testing:

CI

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[WillChilds-Klein]

(sorry for lurking on a draft)

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.75%. Comparing base (850af98) to head (938d980).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1563      +/-   ##
==========================================
- Coverage   78.76%   78.75%   -0.01%     
==========================================
  Files         598      598              
  Lines      103683   103683              
  Branches    14742    14742              
==========================================
- Hits        81666    81657       -9     
- Misses      21364    21372       +8     
- Partials      653      654       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[WillChilds-Klein]

reviewed everything but the patch files this pass. will review those in the next pass.

[WillChilds-Klein]

I may be misunderstanding this, but from this PR's most recent CI run, it looks like a different executable than ./install/bin/ruby is used to execute the tests, namely miniruby:

test-all
  Run options: 
    --seed=24196
    "--ruby=./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"
    --excludes-dir=./test/excludes
    --name=!/memory_leak/

could we patch a test into the OpenSSL module unit tests that asserts OpenSSL::OPENSSL_VERSION.include? 'AWS-LC'?

[samuel40791765]

Not a test, but we do have a version detection mechanism in the patch:

+ def aws_lc?(major = nil, minor = nil, fix = nil)
+    version = OpenSSL::OPENSSL_VERSION.scan(/AWS-LC (\d+)\.(\d+)\.(\d+).*/)[0]
+    return false unless version
+    !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0
+  end

It's used throughout the tests to skip across various AWS-LC specific discrepancies. I'm hesitant to add a specific test that asserts AWS-LC. Ultimate end goal is to run this patch down to 0 if upstream is willing to take us. I also think the various bash checks we do and the mentioned version detection should be sufficient.

[samuel40791765]

miniruby appears to be minimal lighter version of ruby used in their build. The ruby binary we're asserting in this script is the actual ruby binary that the general consumer uses.

• https://github.com/ruby/ruby/wiki/Developer-How-To#make-targets

[WillChilds-Klein]

miniruby appears to be minimal lighter version of ruby used in their build

right. i think we need some way to assert that the miniruby used to run the tests is actually linked against AWS-LC. otherwise, we might be testing against an OpenSSL-backed miniruby, which is meaningless to us.

[samuel40791765]

Added an assertion for miniruby