From 30901750d9332d203221f21f68fe5342c43203a5 Mon Sep 17 00:00:00 2001 From: Jarek Prokop Date: Tue, 13 May 2025 11:59:04 +0200 Subject: [PATCH] Fix OpenSSL ASN1 assertions, they are invalid without seconds. Fix test failures in ASN1 decoding, where time format is passed without seconds. That is invalid with current OpenSSL. Fixes failures: ``` 2) Error: OpenSSL::TestASN1#test_generalizedtime: OpenSSL::ASN1::ASN1Error: generalizedtime is too short /builddir/build/BUILD/ruby-3.0.7/test/openssl/test_asn1.rb:701:in `decode' /builddir/build/BUILD/ruby-3.0.7/test/openssl/test_asn1.rb:701:in `decode_test' /builddir/build/BUILD/ruby-3.0.7/test/openssl/test_asn1.rb:436:in `test_generalizedtime' 3) Error: OpenSSL::TestASN1#test_utctime: OpenSSL::ASN1::ASN1Error: utctime is too short /builddir/build/BUILD/ruby-3.0.7/test/openssl/test_asn1.rb:701:in `decode' /builddir/build/BUILD/ruby-3.0.7/test/openssl/test_asn1.rb:701:in `decode_test' /builddir/build/BUILD/ruby-3.0.7/test/openssl/test_asn1.rb:409:in `test_utctime' ``` See: https://github.com/ruby/openssl/pull/728 Source: https://github.com/ruby/openssl/commit/2e826d571546cdc3beaa884f9e522a102d531641 Related: RHEL-86130 --- ruby.spec | 4 ++ ...rb-Remove-the-assertions-of-the-time.patch | 62 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch diff --git a/ruby.spec b/ruby.spec index 02d450b..133eb9a 100644 --- a/ruby.spec +++ b/ruby.spec @@ -342,6 +342,9 @@ Patch77: rubygem-cgi-0.3.5.1-Fix-ReDoS-in-CGI-CVE-2025-27220.patch # Only CSR version 1 (encoded as 0) is allowed by PKIX standards # https://github.com/ruby/openssl/pull/747 Patch78: rubygem-openssl-3.3.0-Only-CSR-version-1-encoded-as-0-is-allowed-by-PKIX.patch +# Remove the assertions of the time string format without second. +# https://github.com/ruby/openssl/pull/728 +Patch79: rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -823,6 +826,7 @@ rm -rf ext/fiddle/libffi* %patch76 -p1 %patch77 -p1 %patch78 -p1 +%patch79 -p1 # Instead of adjusting patch's directory, use the following form where # we first enter the correct directory, this allows more general application diff --git a/rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch b/rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch new file mode 100644 index 0000000..b24adb9 --- /dev/null +++ b/rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch @@ -0,0 +1,62 @@ +From 561b56fcb552654e7c9449959f49fbc014798a58 Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Tue, 12 Mar 2024 14:39:05 +0100 +Subject: [PATCH] test_asn1.rb: Remove the assertions of the time string format + without second. + +This commit fixes the following errors in the tests. +Because the OpenSSL project changed the code to make the time string format +without second invalid. So, we drop the assertions. + +``` +1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime' + 430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39)) + 431: # LibreSSL 3.6.0 requires the seconds element + 432: return if libressl? + => 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b, + 434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0)) + 435: # not implemented + 436: # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b, + +2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime' + 408: end + 409: # Seconds is omitted. LibreSSL 3.6.0 requires it + 410: return if libressl? + => 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b, + 412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0)) + 413: # not implemented + 414: # decode_test B(%w{ 17 11 }) + "500908234339+0930".b, +``` +--- + test/openssl/test_asn1.rb | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb +index af069cad6e..b5cf1adfd8 100644 +--- a/test/openssl/test_asn1.rb ++++ b/test/openssl/test_asn1.rb +@@ -405,9 +405,6 @@ def test_set + def test_utctime + encode_decode_test B(%w{ 17 0D }) + "160908234339Z".b, + OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 39)) +- # Seconds is omitted +- decode_test B(%w{ 17 0B }) + "1609082343Z".b, +- OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0)) + begin + # possible range of UTCTime is 1969-2068 currently + encode_decode_test B(%w{ 17 0D }) + "690908234339Z".b, +@@ -433,8 +430,6 @@ def test_generalizedtime + OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 29)) + encode_decode_test B(%w{ 18 0F }) + "99990908234339Z".b, + OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39)) +- decode_test B(%w{ 18 0D }) + "201612081934Z".b, +- OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0)) + # not implemented + # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b, + # OpenSSL::ASN1::GeneralizedTime.new(Time.new(2016, 12, 8, 19, 34, 39, "+09:30"))