[ruby/openssl] ssl: account for slight behavioral differences in AWS-LC
There are a few SSL discrepencies in AWS-LC when compared to OpenSSL. 1. AWS-LC has slightly different error messages (in all-caps). 2. AWS-LC has no support for DHE ciphersuites. 3. There are no concepts of SSL security levels within AWS-LC. 4. Similar to LibreSSL, there is no support for OPENSSL_CONF. https://github.com/ruby/openssl/commit/a60d050342
This commit is contained in:
Samuel Chiang
git
parent
4ec0e9e25d
commit
7a15ba48b5
@ -39,7 +39,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_ctx_options_config
|
def test_ctx_options_config
|
||||||
omit "LibreSSL does not support OPENSSL_CONF" if libressl?
|
omit "LibreSSL and AWS-LC do not support OPENSSL_CONF" if libressl? || aws_lc?
|
||||||
|
|
||||||
Tempfile.create("openssl.cnf") { |f|
|
Tempfile.create("openssl.cnf") { |f|
|
||||||
f.puts(<<~EOF)
|
f.puts(<<~EOF)
|
||||||
@ -680,6 +680,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_post_connect_check_with_anon_ciphers
|
def test_post_connect_check_with_anon_ciphers
|
||||||
|
omit "AWS-LC does not support DHE ciphersuites" if aws_lc?
|
||||||
|
|
||||||
ctx_proc = -> ctx {
|
ctx_proc = -> ctx {
|
||||||
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
|
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
|
||||||
ctx.ciphers = "aNULL"
|
ctx.ciphers = "aNULL"
|
||||||
@ -1410,7 +1412,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_minmax_version_system_default
|
def test_minmax_version_system_default
|
||||||
omit "LibreSSL does not support OPENSSL_CONF" if libressl?
|
omit "LibreSSL and AWS-LC do not support OPENSSL_CONF" if libressl? || aws_lc?
|
||||||
|
|
||||||
Tempfile.create("openssl.cnf") { |f|
|
Tempfile.create("openssl.cnf") { |f|
|
||||||
f.puts(<<~EOF)
|
f.puts(<<~EOF)
|
||||||
@ -1454,7 +1456,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_respect_system_default_min
|
def test_respect_system_default_min
|
||||||
omit "LibreSSL does not support OPENSSL_CONF" if libressl?
|
omit "LibreSSL and AWS-LC do not support OPENSSL_CONF" if libressl? || aws_lc?
|
||||||
|
|
||||||
Tempfile.create("openssl.cnf") { |f|
|
Tempfile.create("openssl.cnf") { |f|
|
||||||
f.puts(<<~EOF)
|
f.puts(<<~EOF)
|
||||||
@ -1737,6 +1739,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if !aws_lc? # AWS-LC does not support DHE ciphersuites.
|
||||||
# DHE
|
# DHE
|
||||||
# TODO: SSL_CTX_set1_groups() is required for testing this with TLS 1.3
|
# TODO: SSL_CTX_set1_groups() is required for testing this with TLS 1.3
|
||||||
ctx_proc2 = proc { |ctx|
|
ctx_proc2 = proc { |ctx|
|
||||||
@ -1752,6 +1755,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key
|
assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
end
|
||||||
|
|
||||||
# ECDHE
|
# ECDHE
|
||||||
ctx_proc3 = proc { |ctx|
|
ctx_proc3 = proc { |ctx|
|
||||||
@ -1814,12 +1818,13 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
ctx2.enable_fallback_scsv
|
ctx2.enable_fallback_scsv
|
||||||
ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION
|
ctx2.max_version = OpenSSL::SSL::TLS1_1_VERSION
|
||||||
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
|
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
|
||||||
|
# AWS-LC has slightly different error messages in all-caps.
|
||||||
t = Thread.new {
|
t = Thread.new {
|
||||||
assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) {
|
assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) {
|
||||||
s2.connect
|
s2.connect
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback/) {
|
assert_raise_with_message(OpenSSL::SSL::SSLError, /inappropriate fallback|INAPPROPRIATE_FALLBACK/) {
|
||||||
s1.accept
|
s1.accept
|
||||||
}
|
}
|
||||||
t.join
|
t.join
|
||||||
@ -1830,6 +1835,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_tmp_dh_callback
|
def test_tmp_dh_callback
|
||||||
|
omit "AWS-LC does not support DHE ciphersuites" if aws_lc?
|
||||||
|
|
||||||
dh = Fixtures.pkey("dh-1")
|
dh = Fixtures.pkey("dh-1")
|
||||||
called = false
|
called = false
|
||||||
ctx_proc = -> ctx {
|
ctx_proc = -> ctx {
|
||||||
@ -1880,9 +1887,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
|
|
||||||
def test_ciphersuites_method_bogus_csuite
|
def test_ciphersuites_method_bogus_csuite
|
||||||
ssl_ctx = OpenSSL::SSL::SSLContext.new
|
ssl_ctx = OpenSSL::SSL::SSLContext.new
|
||||||
|
# AWS-LC has slightly different error messages in all-caps.
|
||||||
assert_raise_with_message(
|
assert_raise_with_message(
|
||||||
OpenSSL::SSL::SSLError,
|
OpenSSL::SSL::SSLError,
|
||||||
/SSL_CTX_set_ciphersuites: no cipher match/i
|
/SSL_CTX_set_ciphersuites: (no cipher match|NO_CIPHER_MATCH)/i
|
||||||
) { ssl_ctx.ciphersuites = 'BOGUS' }
|
) { ssl_ctx.ciphersuites = 'BOGUS' }
|
||||||
end
|
end
|
||||||
|
|
||||||
@ -1920,13 +1928,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
def test_ciphers_method_bogus_csuite
|
def test_ciphers_method_bogus_csuite
|
||||||
ssl_ctx = OpenSSL::SSL::SSLContext.new
|
ssl_ctx = OpenSSL::SSL::SSLContext.new
|
||||||
|
|
||||||
|
# AWS-LC has slightly different error messages in all-caps.
|
||||||
assert_raise_with_message(
|
assert_raise_with_message(
|
||||||
OpenSSL::SSL::SSLError,
|
OpenSSL::SSL::SSLError,
|
||||||
/SSL_CTX_set_cipher_list: no cipher match/i
|
/SSL_CTX_set_cipher_list: (no cipher match|NO_CIPHER_MATCH)/i
|
||||||
) { ssl_ctx.ciphers = 'BOGUS' }
|
) { ssl_ctx.ciphers = 'BOGUS' }
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_connect_works_when_setting_dh_callback_to_nil
|
def test_connect_works_when_setting_dh_callback_to_nil
|
||||||
|
omit "AWS-LC does not support DHE ciphersuites" if aws_lc?
|
||||||
|
|
||||||
ctx_proc = -> ctx {
|
ctx_proc = -> ctx {
|
||||||
ctx.max_version = :TLS1_2
|
ctx.max_version = :TLS1_2
|
||||||
ctx.ciphers = "DH:!NULL" # use DH
|
ctx.ciphers = "DH:!NULL" # use DH
|
||||||
@ -1942,6 +1953,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_tmp_dh
|
def test_tmp_dh
|
||||||
|
omit "AWS-LC does not support DHE ciphersuites" if aws_lc?
|
||||||
|
|
||||||
dh = Fixtures.pkey("dh-1")
|
dh = Fixtures.pkey("dh-1")
|
||||||
ctx_proc = -> ctx {
|
ctx_proc = -> ctx {
|
||||||
ctx.max_version = :TLS1_2
|
ctx.max_version = :TLS1_2
|
||||||
@ -2009,9 +2022,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
|
|
||||||
def test_security_level
|
def test_security_level
|
||||||
ctx = OpenSSL::SSL::SSLContext.new
|
ctx = OpenSSL::SSL::SSLContext.new
|
||||||
begin
|
|
||||||
ctx.security_level = 1
|
ctx.security_level = 1
|
||||||
rescue NotImplementedError
|
if aws_lc? # AWS-LC does not support security levels.
|
||||||
assert_equal(0, ctx.security_level)
|
assert_equal(0, ctx.security_level)
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user