More tweaks for Ruby integration

crypto/cipher_extra/cipher_extra.c

@@ -73,16 +73,19 @@ static const struct {
   const EVP_CIPHER *(*func)(void);
 } kCiphers[] = {
     {NID_aes_128_cbc, "aes-128-cbc", EVP_aes_128_cbc},
+    {NID_aes_128_cfb128, "aes-128-cfb", EVP_aes_128_cfb},
     {NID_aes_128_ctr, "aes-128-ctr", EVP_aes_128_ctr},
     {NID_aes_128_ecb, "aes-128-ecb", EVP_aes_128_ecb},
     {NID_aes_128_gcm, "aes-128-gcm", EVP_aes_128_gcm},
     {NID_aes_128_ofb128, "aes-128-ofb", EVP_aes_128_ofb},
     {NID_aes_192_cbc, "aes-192-cbc", EVP_aes_192_cbc},
+    {NID_aes_192_cfb128, "aes-192-cfb", EVP_aes_192_cfb},
     {NID_aes_192_ctr, "aes-192-ctr", EVP_aes_192_ctr},
     {NID_aes_192_ecb, "aes-192-ecb", EVP_aes_192_ecb},
     {NID_aes_192_gcm, "aes-192-gcm", EVP_aes_192_gcm},
     {NID_aes_192_ofb128, "aes-192-ofb", EVP_aes_192_ofb},
     {NID_aes_256_cbc, "aes-256-cbc", EVP_aes_256_cbc},
+    {NID_aes_256_cfb128, "aes-256-cfb", EVP_aes_256_cfb},
     {NID_aes_256_ctr, "aes-256-ctr", EVP_aes_256_ctr},
     {NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb},
     {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm},

crypto/decrepit/evp/evp_do_all.c

@@ -67,6 +67,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
   callback(EVP_rc2_cbc(), "rc2-cbc", NULL, arg);
   callback(EVP_rc4(), "rc4", NULL, arg);
   callback(EVP_chacha20_poly1305(), "chacha20-poly1305", NULL, arg);
+
+  // Other possible historical aliases from OpenSSL.
+  callback(EVP_aes_128_cbc(), "aes128", NULL, arg);
+  callback(EVP_aes_256_cbc(), "aes256", NULL, arg);
 }
 
 void EVP_MD_do_all_sorted(void (*callback)(const EVP_MD *cipher,

crypto/fipsmodule/evp/evp.c

@@ -576,6 +576,7 @@ void *EVP_PKEY_get0(const EVP_PKEY *pkey) {
     case EVP_PKEY_RSA_PSS:
     case EVP_PKEY_DSA:
     case EVP_PKEY_EC:
+    case EVP_PKEY_DH:
       return pkey->pkey.ptr;
     default:
       return NULL;

include/openssl/evp.h

@@ -1204,7 +1204,7 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine,
 
 // EVP_PKEY_get0 returns the consumed key. The type of value returned will be
 // one of the following, depending on the type of the |EVP_PKEY|:
-// |RSA|, |DSA| or |EC_KEY|.
+// |DH|, |DSA|, |EC_KEY|, or |RSA|.
 //
 // This function is provided only for compatibility with OpenSSL.
 // Prefer the use the typed |EVP_PKEY_get0_*| functions instead.

include/openssl/ssl.h

@@ -5731,6 +5731,22 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
 // is intentionally not supported in AWS-LC.
 #define SSL_VERIFY_CLIENT_ONCE 0
 
+// SSL_OP_TLSEXT_PADDING is OFF by default in AWS-LC. Turning this ON in
+// OpenSSL adds a padding extension to ensure the ClientHello size is never
+// between 256 and 511 bytes in length. This is needed as a workaround for some
+// implementations.
+#define SSL_OP_TLSEXT_PADDING 0
+
+// SSL_OP_SAFARI_ECDHE_ECDSA_BUG is OFF by default in AWS-LC. Turning this ON in
+// OpenSSL defers ECDHE-ECDSA ciphers when the client appears to be Safari on
+// OSX. OSX 10.8 ~ 10.8.3 has broken support for ECDHE-ECDSA ciphers.
+#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0
+
+// SSL_OP_CRYPTOPRO_TLSEXT_BUG is OFF by default in AWS-LC. Turning this ON in
+// OpenSSL adds the server-hello extension from the early version of cryptopro
+// draft when GOST ciphersuite is negotiated (which we don't support).
+#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0
+
 // The following have no effect in both AWS-LC and OpenSSL.
 #define SSL_OP_EPHEMERAL_RSA 0
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0