Skip to content

Commit

Permalink
Add more test coverage for Ruby/OpenSSL gem (#2085)
Browse files Browse the repository at this point in the history
Follow up from #1563  where we add more test coverage for the
Ruby/OpenSSL gem.

* ruby_release_backport is for any commits that are already on
   the main branch and are required for some tests on older releases
   to pass through.
* ruby_patch_common is for commits that all branches should
   need for additional tests to pass. These are outside of the
   ruby/openssl gem boundary, so I chose to consolidate the logic in a
   separate patch. Patches in this folder would be submitted to their
   respective repos instead of https://github.com/ruby/openssl.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
  • Loading branch information
samuel40791765 authored Dec 31, 2024
1 parent c0e927e commit 4243a79
Show file tree
Hide file tree
Showing 3 changed files with 70 additions and 6 deletions.
22 changes: 22 additions & 0 deletions tests/ci/integration/ruby_patch/ruby_patch_common/net-http.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
index a24f5e0..26ab754 100644
--- a/test/net/http/test_https.rb
+++ b/test/net/http/test_https.rb
@@ -167,6 +167,8 @@ def test_session_reuse
def test_session_reuse_but_expire
# FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('OpenSSL 1.1.0h')
+ # "AWS-LC does not support internal session caching on the client".
+ omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('AWS-LC')

http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
@@ -237,7 +239,7 @@ def test_certificate_verify_failure
ex = assert_raise(OpenSSL::SSL::SSLError){
http.request_get("/") {|res| }
}
- assert_match(/certificate verify failed/, ex.message)
+ assert_match(/certificate verify failed|CERTIFICATE_VERIFY_FAILED/, ex.message)
unless /mswin|mingw/ =~ RUBY_PLATFORM
# on Windows, Errno::ECONNRESET will be raised, and it'll be eaten by
# WEBrick
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
From 226ae828c5cc2c87245417e9a372b9403c91a54c Mon Sep 17 00:00:00 2001
From: Jeremy Evans <[email protected]>
Date: Tue, 4 Jun 2024 16:35:06 -0700
Subject: [PATCH] Fix wrong certificate version

OpenSSL::X509::Certificate#version= calls X509_set_version, and
that sets the version stored in the certificate. However, the
version stored in certificate is one less than the actual
certificate version (https://www.openssl.org/docs/manmaster/man3/X509_set_version.html).
There are no version 4 certificates, and when using recent LibreSSL,
drb ssl tests all fail without this change.
---
lib/drb/ssl.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/drb/ssl.rb b/lib/drb/ssl.rb
index 392d656..4e4d992 100644
--- a/lib/drb/ssl.rb
+++ b/lib/drb/ssl.rb
@@ -185,7 +185,7 @@ module DRb
}

cert = OpenSSL::X509::Certificate.new
- cert.version = 3
+ cert.version = 2
cert.serial = 0
name = OpenSSL::X509::Name.new(self[:SSLCertName])
cert.subject = name
--
2.25.1

23 changes: 17 additions & 6 deletions tests/ci/integration/run_ruby_integration.sh
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ FIPS=${FIPS:-"0"}
SCRATCH_FOLDER="${SRC_ROOT}/RUBY_BUILD_ROOT"
RUBY_SRC_FOLDER="${SCRATCH_FOLDER}/ruby-src"
RUBY_PATCH_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch"
RUBY_BACKPORT_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch/ruby_release_backport"
RUBY_COMMON_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch/ruby_patch_common"
AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"

Expand All @@ -45,26 +47,35 @@ function ruby_build() {
ldd "$(find "$PWD/install" -name "openssl.so")" | grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1
ldd "$(find "$PWD/install" -name "openssl.so")" | grep "${AWS_LC_INSTALL_FOLDER}/lib/libssl.so" || exit 1

#TODO: add more relevant tests here
make test-all TESTS="test/openssl/*.rb"
make test-all TESTS="test/drb/*ssl*.rb"
make test-all TESTS="test/rubygems/test*.rb"

popd
}

function ruby_patch() {
local branch=${1}
local src_dir="${RUBY_SRC_FOLDER}/${branch}"
local patch_dir="${RUBY_PATCH_FOLDER}/${branch}"
if [[ ! $(find -L ${patch_dir} -type f -name '*.patch') ]]; then
local patch_dirs=("${RUBY_PATCH_FOLDER}/${branch}" "${RUBY_COMMON_FOLDER}")
if [[ ! $(find -L ${patch_dirs[0]} -type f -name '*.patch') ]]; then
echo "No patch for ${branch}!"
exit 1
fi
git clone https://github.com/ruby/ruby.git ${src_dir} \
--depth 1 \
--branch ${branch}
for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do
echo "Apply patch ${patchfile}..."
cat ${patchfile} | patch -p1 --quiet -d ${src_dir}

# Add directory of backport patches if branch is not master.
if [[ "${branch}" != "master" ]]; then
patch_dirs+=("${RUBY_BACKPORT_FOLDER}")
fi

for patch_dir in "${patch_dirs[@]}"; do
for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do
echo "Apply patch ${patchfile}..."
cat ${patchfile} | patch -p1 --quiet -d ${src_dir}
done
done
}

Expand Down

0 comments on commit 4243a79

Please sign in to comment.